Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk function or query which will convert event timestamp field "timestamp" to local timestamp

Abhineet
Loves-to-Learn Everything
‎04-05-2022 09:27 AM

Looking splunk function or query to change timestamp of  "_time" field in local timestamp.

when we present statistical table of data with time field then that time field value should converted to local time irrespective of location where query are getting executed.

EX:-

timeMessage IDSenderRecipientSubjectMessageSizeAttachmentNamedAttachmentNameFilterActionFinalRuleTLS Version
4/5/22 9:01<DM5P102MB0126B6CF54A6B2F44B6F6BF295E49@DM5P102MB0126.NAMP102.PROD.OUTLOOK.COM>Darren_Collishaw@amat.comtobycollishaw@hotmail.comCourses - Youtube15201

text.txt text.html

 continueoutbound_cleanTLSv1.2

 

"timestamp" column  in above example should get changed according to local time zone when we execute query.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2022 09:59 AM

The _time field is stored as a unix timestamp (number of seconds since so-called "epoch") and is rendered in webui according to the timezone defined in user's preferences. There is no way to set another timezone within a search.

If you want to parse another field from the event (which is most likely represented in some string form), you should use strptime() to convert from that string to timestamp and then use fieldformat (preferably) or eval with strftime to convert this timestamp to a string.

And again - splunk always shows the timestamp in user's timezone but can parse and interpret a timezone if it's included in the date string. Otherwise it parses the datetime string as if it was in local time.

For example - if I'm located in CEST, the string "5.04.2022 18:57:00", if I call strptime with proper format string will get interpreted as 18:57 CEST. But if the string says "5.04.2022 18:57:00PDT" and I tell splunk to use the timezone definition, it will get parsed as PDT time even though my local timezone is CEST. But if I call strftime on both timestamps, they will be both rendered in CEST, regardless of what timezone the initial string contained.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top