Hello! Splunk n00b looking for confirmation of something! I can't find documentation for date_month that specifies whether it is localized. It appears that it isn't. Given this example search, which spans Feb 28 and Mar 1 in my timezone:
... earliest=1551384000 latest=1551416401
| eval date_month_local=strftime(_time, "%B")
| search date_month=march date_month_local=February
Which returns results claiming to be in both March and February starting at 7pm local (I'm UTC-0500). That makes sense if date_month is based on UTC.*
Given that, if I have a report that I want to run on the previous month (Feb, in this example,) and I want a field with the name of the month in that report, should I be using strftime(_time, "%B") instead of date_month? If I use date_month, the report (which runs in -0500) ends up with a 'march' value for records after Feb 28 7pm -0500.
If I haven't completely missed something then all this might seem a bit self evident (and hopefully helpful for someone.) There was some surprise amongst management when it seemed that date_month was not localized. That's why I want to be very sure I have this right. If anyone knows documentation that describes or implies how date_month treats timezones, I would appreciate being pointed at it.
Thanks for your time!
*UPDATE: As described by somesoni2 in the accepted answer, date_month is based on the literal string at index time. In this case, the indexer was looking at a timestamp field which happened to be in UTC.
... View more