Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk function or query which will convert event timestamp field "timestamp" to local timestamp

Abhineet
Loves-to-Learn Everything
‎04-05-2022 09:27 AM

Looking splunk function or query to change timestamp of  "_time" field in local timestamp.

when we present statistical table of data with time field then that time field value should converted to local time irrespective of location where query are getting executed.

EX:-

timeMessage IDSenderRecipientSubjectMessageSizeAttachmentNamedAttachmentNameFilterActionFinalRuleTLS Version
4/5/22 9:01<DM5P102MB0126B6CF54A6B2F44B6F6BF295E49@DM5P102MB0126.NAMP102.PROD.OUTLOOK.COM>Darren_Collishaw@amat.comtobycollishaw@hotmail.comCourses - Youtube15201

text.txt text.html

 continueoutbound_cleanTLSv1.2

 

"timestamp" column  in above example should get changed according to local time zone when we execute query.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2022 09:59 AM

The _time field is stored as a unix timestamp (number of seconds since so-called "epoch") and is rendered in webui according to the timezone defined in user's preferences. There is no way to set another timezone within a search.

If you want to parse another field from the event (which is most likely represented in some string form), you should use strptime() to convert from that string to timestamp and then use fieldformat (preferably) or eval with strftime to convert this timestamp to a string.

And again - splunk always shows the timestamp in user's timezone but can parse and interpret a timezone if it's included in the date string. Otherwise it parses the datetime string as if it was in local time.

For example - if I'm located in CEST, the string "5.04.2022 18:57:00", if I call strptime with proper format string will get interpreted as 18:57 CEST. But if the string says "5.04.2022 18:57:00PDT" and I tell splunk to use the timezone definition, it will get parsed as PDT time even though my local timezone is CEST. But if I call strftime on both timestamps, they will be both rendered in CEST, regardless of what timezone the initial string contained.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...