I have a log that contains multiple time fields
_time (ingest time)
Processed time (processed_time)
Actioned time (actioned_time)
Result time (result_time)
_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)
So I wrote the following SPL to convert the static field "processed_time" to epoch
index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"
What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?
I tried doing
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)
and
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)
but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.
What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?
... View more