Splunk Search

strptime using 2020-03-08T02:00:21is 1 hour off

paulerlong
Explorer

The following query returns a result that is one hour off.

| makeresults
| eval timestr="2020-03-08T02:00:21"
| eval unixtime=strptime(timestr, "%Y-%m-%dT%H:%M:%S")
| eval convertedBackToString=strftime(unixtime, "%Y-%m-%dT%H:%M:%S")
| table timestr, unixtime, convertedBackToString

If I change the date or hour, it works correctly.  But any time (I didn't try them all) in the 2 o'clock range and strptime returns the wrong value.  This happens on Splunk Enterprise   8.1.3 and my previous version which I think was 8.0.2.  This works correctly on 7.3.11.

Can somebody confirm this is a bug?

Thanks,

Paul

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I retracted my answer when I realized DST changed on 7 Mar 21 rather than 8 Mar 21.

I think your only option for changing the time zone on free Splunk is to change the time on your machine.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

paulerlong
Explorer

Forgot to add the result I see.  Timestr and convertedBackToString should be identical, I think, but they are not.

paulerlong_0-1617829608152.png

 

0 Karma

paulerlong
Explorer

I saw a response, but it was retracted.  However, I think it was correct.  3/8 2020 was when the clock changed for EST timezone.  Therefore 2:00AM-3:00AM doesn't exist.  On the server I can configure the timezone to GMT, which I do, so it worked properly in that environment.

However, now I can't figure out how to change the time zone from the Splunk Enterprise running on my local machine.  It's a free version, so I can't add a user to set the time zone info.  So how can I configure this local version of Splunk Enterprise to use GMT?

Thanks,

Paul

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I retracted my answer when I realized DST changed on 7 Mar 21 rather than 8 Mar 21.

I think your only option for changing the time zone on free Splunk is to change the time on your machine.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

paulerlong
Explorer

My date is is from 2020, and that year the change coincides with the time.  

Bummer about changing the system timezone.   That's a big change just to get splunk to work correctly.  Hopefully they can address this moving forward.  

Thanks for the help!

Paul

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!