Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timezone- Could you please help me convert all the values to a standard  timezone(UTC)?

ranjithan
Path Finder
‎10-23-2022 07:27 AM

Hi Community,

Please help me..

I have a field Expiration with values having different timezones . Could you please help me convert all the values to a standard  timezone(UTC).  Any help would be appreciated.  Thanks in advance

Expiration

18:02:56 EDT Oct 5 2022
12:02:56 CDT Oct 5 2022
13:02:56 EDT Oct 5 2022
18:02:56 CDT Oct 5 2022
18:59:59 EST Nov 15 2022
19:59:59 EDT Oct 5 2022
17:02:56 UTC Oct 5 2022
18:59:59 CDT Oct 5 2022
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-23-2022 08:41 AM

Thank you so much   .    Also I just realised that using   %Z  with strptime automatically converts to epoch time from any time zone and this also can  standardise the time    for time calculations.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 11:31 PM

HI @ranjithan,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-24-2022 02:56 AM

Thanks again for your help! 

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...