Solved: Convert timestamp from BST to EDT

davidcraven02 · ‎06-13-2018

My approach was to subtract 5 hours (18000 seconds) from the timestamp but when using the below line I get no results.

| eval timestamp =  timestamp - 18000

Full Query without subtraction

index=duo extracted_eventtype=authentication integration="Microsoft RDP" username=*
| eval Time=strftime(timestamp, "%H:%M") 
| eval day=strftime(timestamp, "%Y-%m-%d") 
| stats earliest(Time) by day, username  
| rename earliest(Time) as LogonTime 
| table username, day, LogonTime  
| sort username

I included the timestamp in the table to show its format.

renjith_nair · ‎06-13-2018

Try the substraction with the original time fields "_time" or convert it using strptime

     | eval BST_Time= _time - 18000

or use the relative_time function

|eval BST_Time=relative_time(_time,"-5h")

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎06-13-2018

Try the substraction with the original time fields "_time" or convert it using strptime

     | eval BST_Time= _time - 18000

or use the relative_time function

|eval BST_Time=relative_time(_time,"-5h")

---
What goes around comes around. If it helps, hit it with Karma 🙂

davidcraven02 · ‎06-13-2018

Thank you this worked.

Convert timestamp from BST to EDT

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!