Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strftime adds 1 hour after converting

MedralaG
Communicator
‎04-16-2018 07:34 AM

I'm working on identifying which hosts are located in which time zone as the client does not have an inventory list and they have devices all around the globe.
I'm calculating the difference between the _time that was extracted from the log and _indextime to establish the difference between them, which will be a good indication of how many time zones the devices is away.
I get values of ranges around 0-15, around 3600 and around 7200, which is expected.
Now when I try to use strftime to express that difference into a readable format it always adds 1 hour to it.

Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-16-2018 07:41 AM

Don't use strftime to deal with durations, use the following (where diff is your difference value in seconds):

 | eval diff=tostring(diff, "duration")

View solution in original post

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...