Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change timezone of a timestamp in results of search?

tyhopping1
Engager
‎11-19-2019 08:42 AM

I have created a query that tracks the Start and End Time of a given job. These start and end times are calculated by taking the earliest timestamp(StartTime) and latest timestamp(EndTime).

Currently the timestamps, and in turn Start/End times, are in GMT. However, I need the Start/End Time to be returned in CT within the results of the search.

Here is my query:

NameOfJob = JOBNAME| spath timestamp | search timestamp=*
| eval day = strftime(_time, "%Y-%m-%d") 
| stats min(timestamp) as StartTimeEpoch, max(timestamp) as EndTimeEpoch by NameOfJob day 
| eval StartTimeEpoch=strptime(StartTimeEpoch, "%Y-%m-%dT%H:%M:%S")
| eval EndTimeEpoch=strptime(EndTimeEpoch, "%Y-%m-%dT%H:%M:%S")
| eval duration=(EndTimeEpoch-StartTimeEpoch) | eval minutes = duration/60 | eval hours = minutes/60
| eval StartTimeEpochD = strftime(StartTimeEpoch,"%Y-%m-%dT%H:%M:%S")
| eval EndTimeEpochD = strftime(EndTimeEpoch, "%Y-%m-%dT%H:%M:%S")
| sort by StartTimeEpochD

Any help is appreciated. Thank you

Tags (2)
0 Karma
Reply

mayurr98
Super Champion
‎11-19-2019 09:15 AM

CT is 6 hours behind the GMT. So you would need minus the 6 hours from GMT

try this:

NameOfJob = JOBNAME 
| spath timestamp 
| search timestamp=* 
| eval day = strftime(_time, "%Y-%m-%d") 
| stats min(timestamp) as StartTimeEpoch, max(timestamp) as EndTimeEpoch by NameOfJob day 
| eval StartTimeEpoch=strptime(StartTimeEpoch, "%Y-%m-%dT%H:%M:%S") 
| eval EndTimeEpoch=strptime(EndTimeEpoch, "%Y-%m-%dT%H:%M:%S") 
| eval duration=(EndTimeEpoch-StartTimeEpoch) 
| eval minutes = duration/60 
| eval hours = minutes/60 
| eval StartTimeEpoch=StartTimeEpoch-21600 
| eval EndTimeEpoch=EndTimeEpoch-21600 
| eval StartTimeEpochD_CT = strftime(StartTimeEpoch,"%Y-%m-%dT%H:%M:%S") 
| eval EndTimeEpochD_CT = strftime(EndTimeEpoch, "%Y-%m-%dT%H:%M:%S") 
| sort by StartTimeEpochD_CT
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...