Hi!
I have log entries with a timestamp embedded for expiration inside the log event.
What's the best way to convert the newly generated epoch to local time?
log sample
EXPIRES Feb 11 17:11:15 2015 GMT
Search:
... | rex "(?i)EXPIRES (?P.*) | eval epochtime=strptime(TEST, "%b %d %H:%M:%S %Y") | eval ET=strftime(epochtime,"%b %d %H:%M:%S %Y")
Output sample:
TEST epochtime ET
Feb 11 17:11:15 2015 GMT 1423674687.000000 Feb 11 17:11:15 2015
| eval te=strptime(t,"%b %d %T %Y %Z") | eval tl=strftime(te,"%b %d %T %Y %Z")
You need to include the timezone capture (%Z) so that splunk can calculate what the offset needs to be.
| eval te=strptime(t,"%b %d %T %Y %Z") | eval tl=strftime(te,"%b %d %T %Y %Z")
You need to include the timezone capture (%Z) so that splunk can calculate what the offset needs to be.