- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Specify time zone in static earliest and latest ti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to send a search with a specific time range to people in different time zones. I can use earliest and latest to specify an exact time, but I don't see how to specify the timezone for each. Is there a convenient way to do this, or should I create a macro that computes the time appropriate for each user.
Here is what I do now:
base search ... earliest="2/1/2018:10:00:00" latest="2/1/2018:10:05:00"
I would like to do this:
base search ... earliest="2/1/2018:10:00:00 +00:00" latest="2/1/2018:10:05:00 +00:00"
OR
base search ... earliest="2/1/2018:10:00:00 UTC" latest="2/1/2018:10:05:00 UTC"
but neither of these work.
I know that I can add a macro or a bunch of SPL to make something work, but I was hoping for simplicity.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a possible answer:
base search ... earliest=1517479200 latest=1517479500
Since epoch time is always UTC, this can be given to anyone. It's pretty convenient. I might create something to allow me to cut and paste the Splunk search time range into it to convert to this format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found a possible answer:
base search ... earliest=1517479200 latest=1517479500
Since epoch time is always UTC, this can be given to anyone. It's pretty convenient. I might create something to allow me to cut and paste the Splunk search time range into it to convert to this format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know how I would handle a search where I need to exclude a certain time period , such as this (these times are in UTC):
| eval Hour=strftime(_time,"%H")
| eval Minute=strftime(_time,"%M")
| search NOT ( (Hour=00 AND Minute >= 00) AND (Hour=00 AND Minute <= 20) )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's exactly what you should do! Do you want help converting? It'll be a pretty straightforward application of the strptime function. You'll want these: http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Commontimeformatvariables
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm good with that. Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you send these timestamps to users in various time zones, do you want them to wind up each searching for the same time window, regardless of their locale (e.g. they all look at the web proxy logs for events at 1:05PM-1:10PM EDT) or do you want them to wind up searching for time windows relevant to their respective locales (e.g. they all look at web proxy logs for events that occurred at 1:05PM-1:10PM in their local time zones)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for commenting. I want them to find the exact same events that I saw without giving them a URL.
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
