Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why strftime with %Z work differently between...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
In my dashboard, i saw a strange things with Timezone printing. In fact i have to make time conversion and show detail for a specific usage. I want to show date in a specific timezone (which could change dynamically).
If I make calculation in query i have what i want.
If I make calculation in token the result is not good.
<dashboard>
<label>timeComponent</label>
<row>
<panel>
<table>
<search>
<query>|makeresults
|eval out_time=strftime(time(),"%Z %z")
|table out_time
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="fromSearch">$result.out_time$</set>
<eval token="fromEval">strftime(time(),"%Z %z")</eval>
</done>
</search>
</table>![alt text][1]
</panel>
</row>
<row>
<panel>
<html>
<table border="0" cellpadding="12" cellspacing="0">
<tr>
<td>Value in Search</td>
<td>[$fromSearch$]</td>
</tr>
<tr>
<td>Value in eval</td>
<td>[$fromEval$]</td>
</tr>
</table>
</html>
</panel>
</row>
</dashboard>
Why the %Z is not working in the Eval ?
My question is : Is it normal to have different results ?
I have to make some time transformation and i wouldn't use fake (transformation using an other query, ...) just for changing timezone.
Any idea ?
Thanks
Régis Alzaté
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I read that the eval tag in dashboards has some limitation/changes as compared to eval in search command. See this: http://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/tokens#Define_token_filtering_and_formatting
It's NOT listed explicitly that %Z is not supported in dashboard-xml-eval, but seems like it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi and thanks somesoni2
This doc mentions "different behavior" for strftime. (personally, i see this behavior as a bug)
I'm agree with you, but if we have to develop a huge trick just to convert timezone, i found that not user friendly.
I think i have no other choose that implement a dummy query or other trick to do it.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ralzate, I think %Z, does not play well with eval based token. So if you have have valid Splunk Entitlement you should create a BUG Request (Tag Bug to this question as well).
Meanwhile as you have said,
1) Use %zfor Timezone in eval and then convert the same to %Z in your actual search or
2) Have a dummy search to over come this situation
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Use %z is not good for me because i need timezone with daylight saving time, in this case i have to search the good correspondence (not easy to do).
I can do the second solution temporary until i have a better solution.
I will raise a bug request.
Thanks all
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
