Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timezone offset causing blanks during conversion

rhilderbrand1
Observer
‎12-06-2021 12:14 PM

I have a date column that I'm trying to convert to %m/%d/%Y. The date stamp is a little complex but I got it to work until daylight savings took affect. Now anything with a timezone offset that has a non-zero number in the third digit, -0480 for example, returns blank. Below is my query...

| inputlookup DateStampConvert.csv
| rename "System Name" as systemName
| rename "Date Stamp" as DateStampDate
| eval dateStamp=strftime(strptime(DateStampDate, "%b %d %Y %H:%M:%S %z"), "%m/%d/%Y")
| table systemName dateStamp
| outputlookup dateStamp.csv

Is there something I'm missing?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-06-2021 01:04 PM

-0480? What kind of a timezone spec is that?

0 Karma
Reply

rhilderbrand1
Observer
‎12-09-2021 06:18 AM

Not sure. Everything was fine during daylight savings time but on November 8, half of the devices started reporting their UTC time offsets in what I assume are minutes rather than hours and minutes. The messed up time offsets are all multiples of 60, for example -0480 or -0360. I suspect the use of %z is strictly with hour and minute formats so anything greater than 59 in the last two digits may throw it off. I guess I'll have to read up on rex or regex to pull the needed info out instead. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-09-2021 12:55 PM

LOL. I just had a very similar case myself. See this thread https://community.splunk.com/t5/Getting-Data-In/Index-time-extraction-and-non-indexed-field/m-p/5777...

The difference is that you want to do the parsing/correction in search-time whereas I did it in index-time (since I had to correct _time).

But the general idea is the same - extract the main part of the event as UTC, extract the "timezone" part, cast it to number, multiply by 60 and add the resulting number to the main timestamp.

Reply

johnhuang
Motivator
‎12-06-2021 12:58 PM

Share some examples.

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...