@martin_mueller
Changing the timezone via settings is not an option for me, thanks though for your insight.
@linu1988
I am getting an error when I tried yours, thanks anyways.
FYI, I was able to make it work using the following:
eval epochtime = strptime(date,"%FT%H:%M:%S.%3Q")-14400 | eval "Revised" = strftime(epochtime, "%F %H:%M %p") | table Revised
@martin_mueller
Changing the timezone via settings is not an option for me, thanks though for your insight.
@linu1988
I am getting an error when I tried yours, thanks anyways.
FYI, I was able to make it work using the following:
eval epochtime = strptime(date,"%FT%H:%M:%S.%3Q")-14400 | eval "Revised" = strftime(epochtime, "%F %H:%M %p") | table Revised
i thought you had your default timeforamt in _time field!! Btw good that you have done it.
You can set the timezone for your user to GMT-4: SplunkBar -> Username -> Edit Account -> Timezone
That will make Splunk render all timestamps, including custom strftime()
outputs, as GMT-4. It won't affect _raw
text of course.
|eval _time=_time-(4*3600)|convert timeformat="%y-%m-%d %H:%M" ctime(_time)