Solved: Trouble with UTC time

BearMormont · ‎08-21-2018

I have some search results that return values in the format %Y-%m-%d %H:%M:%S. For example:

...some search... | table UpdateTime

This would yield the following table:

UpdateTime

2018-06-06 13:49:28
2017-12-22 08:23:21

I know for a fact that time string is in UTC, not my local time. All I need to do is display the number of minutes that have elapsed between that UTC string and the time the event was recorded (_time). Everything I try keeps giving me negative numbers for recent events, I assume because it is treating the UpdateTime field as being in local time, not UTC.

Can anyone help me?

BearMormont · ‎08-21-2018

Figured it out. Update Time needed a timezone identifier:

eval UpdateTime = UpdateTime." UTC"

Then I can convert the value properly:

eval EpochTime = strptime(UpdateTime, "%Y-%m-%d %H:%M:%S %Z")
eval ElapsedMinutes = (_time - UpdateTime) / 60

View solution in original post

BearMormont · ‎08-21-2018

Figured it out. Update Time needed a timezone identifier:

eval UpdateTime = UpdateTime." UTC"

Then I can convert the value properly:

eval EpochTime = strptime(UpdateTime, "%Y-%m-%d %H:%M:%S %Z")
eval ElapsedMinutes = (_time - UpdateTime) / 60

Trouble with UTC time

UpdateTime

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World

Are you a member of the Splunk Community?

Trouble with UTC time

UpdateTime

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World