Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk function or query which will convert event timestamp field "timestamp" to local timestamp

Abhineet
Loves-to-Learn Everything
‎04-05-2022 09:27 AM

Looking splunk function or query to change timestamp of  "_time" field in local timestamp.

when we present statistical table of data with time field then that time field value should converted to local time irrespective of location where query are getting executed.

EX:-

timeMessage IDSenderRecipientSubjectMessageSizeAttachmentNamedAttachmentNameFilterActionFinalRuleTLS Version
4/5/22 9:01<DM5P102MB0126B6CF54A6B2F44B6F6BF295E49@DM5P102MB0126.NAMP102.PROD.OUTLOOK.COM>Darren_Collishaw@amat.comtobycollishaw@hotmail.comCourses - Youtube15201

text.txt text.html

 continueoutbound_cleanTLSv1.2

 

"timestamp" column  in above example should get changed according to local time zone when we execute query.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2022 09:59 AM

The _time field is stored as a unix timestamp (number of seconds since so-called "epoch") and is rendered in webui according to the timezone defined in user's preferences. There is no way to set another timezone within a search.

If you want to parse another field from the event (which is most likely represented in some string form), you should use strptime() to convert from that string to timestamp and then use fieldformat (preferably) or eval with strftime to convert this timestamp to a string.

And again - splunk always shows the timestamp in user's timezone but can parse and interpret a timezone if it's included in the date string. Otherwise it parses the datetime string as if it was in local time.

For example - if I'm located in CEST, the string "5.04.2022 18:57:00", if I call strptime with proper format string will get interpreted as 18:57 CEST. But if the string says "5.04.2022 18:57:00PDT" and I tell splunk to use the timezone definition, it will get parsed as PDT time even though my local timezone is CEST. But if I call strftime on both timestamps, they will be both rendered in CEST, regardless of what timezone the initial string contained.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...