splunk query to a different timezone fail

cyberpop

I use fieldformat "Date Time"=strftime('Date Time',"%F %T %:z %Z","Asia/Hong Kong"). but it said the syntax is wrong. how to resolve it, thanks

PickleRick

Wait. What are you trying to do?

As I understand it, you have a field with an epoch-based unix timestamp and want to render it to a string, right?

Splunk renders the time in the timezone set in your user's preferences. Period.

There is no function which lets you render a given timestamp in a different timezone. It's by design and while in some specific use cases it might be less than perfect in most cases it actually saves you a lot of trouble because you always have a fixed timezone against which you can interpret your timestamp strings.

You can cheat a bit by "adjusting" your timestamp by a proper offset between your user's configured timezone and the target timezone and then rendering your timestamp to a string but that's not something I'd recommend since you can quickly lose track the actual time for your events.

cyberpop

so how to convert to Hong Kong timezone?

cyberpop

The %HKT didn't work, I use |fieldformat "Date Time"=strftime('DateTime',%F %T %:z %Z %HKT"), it display 2025-09-24 01:31:23 EDT 1KT, I think it is wrong

cyberpop

I replace %Z with %HKT as suggested. I use |fieldformat "Date Time"=strftime('DateTime',%F %T %HKT"), it display 2025-09-24 01:31:23 EDT 1KT, I think it take hour (%H) instead of %HKT. I want to get HKT time by using SPL query. kindly help

MuS

replace %Z with %HKT

MuS

According to https://en.wikipedia.org/wiki/List_of_time_zone_abbreviations Hong Kong has HKT so you could use %HKT in strftime

MuS

Hi there,

According to https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/10.0/evaluation-functions/d... strftime only uses a time field and the format like

strftime(<time>,<format>)

I sugest to remove the ,"Asia/Hong Kong" bit from the SPL.

cheers, MuS