Hey Splunk Gurus- I'm attempting to calculate the duration between when an event was first identified (which is an entry in the event "alert.created_at") and the "_time" timestamp. I'm able to calculate this timestamp difference using strptime("alert.created_at") but the conversion of that time to epoch is relative to the viewers timezone.  The duration changes based on how you configure the Splunk UI timezone. The "_time" field is set to "current" in props.conf Here's my current search:   index=* alert.tool.name=* action="fixed" | eval create_time=strptime('alert.created_at', "%Y-%m-%dT%H:%M:%SZ") | eval duration = _time - create_time     Here's a sample of the log:   { "action": "fixed", "alert": { "number": 2, "created_at": "2021-11-22T23:49:19Z" } }     When I execute this search while my UI preferences are set to "GMT" the result is 1183959 which is the correct duration.  When I set that preference to "PST", the result is 1155159.  That number is wrong by exactly 8 hours. Any suggestions on how to deal with this?  I'm fine with either a search-time solution or a config change in props.conf if that's best. Thanks!   ... View more

Hey 👋, I'm trying to get the time difference between when an event was received and a string representation of the time in the event.   Here's an example of the event:   { "action": "created", "alert": { "number": 818, "created_at": "2021-11-16T21:52:12Z", "url": "https://somewebsite.com" } }   The issue is the conversion of the time in "alert.created_at" from string to epoch.  Once I'm able to get the epoch representation, calculating the difference from _time is easy.   I'm working off this eval statement, but cant get it to work:   | eval strtime=strptime(alert.created_at, "%Y-%m-%dT%H:%M:%SZ") | table strtime   Any thoughts?  Thanks! ... View more