- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Eval to find current time in another timezone
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eval to find current time in another timezone
I'm familiar with strftime and starptime command and timezones, but cant seem to manipulate now() and convert to a known timezone. As an example now() returns in PDT timezone and I would like to convert now() to CST6CDT. I tried using eval to do a diff but it doesnt return the field. Any idea why?
| eval time_diff=strptime("CST6CDT", "%Z")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I needed to get the current time in UTC timezone:
| eval utc_hourid=strftime(relative_time(now(),"+".(tonumber(strftime(now(),"%H"))-tonumber(strftime(strptime(strftime(now(),"%m/%d/%Y %H:%M:%S UTC"),"%m/%d/%Y %H:%M:%S %Z"),"%H")))."h"),"%m/%d/%Y %H:%M:%S")
You can probably turn this eval exp to get current time in any timezone, just replace "UTC" with the timezone you want. This work with daylight savings time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS
great search, it inspired me to look a little closer and do it even more general (i wondered first why you eval´ed AKDT and CEST), with only one timeformat string
index=_internal | head 1 | eval foo=relative_time(now(), "-90m@s" ) | eval boo=relative_time(now(), "+21m@s" ) | eval now=now() | convert timeformat="%d.%m.%y %H:%M:%S" ctime(now), ctime(foo), ctime(boo) | t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Close but not quite: http://answers.splunk.com/answers/4528/finding-your-local-timezone-with-eval
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for feedback. I also found another Splunk search that will convert the offset value (ie -0400) to relative time and then change it. This is almost what I'm looking for. The problem is that I have all our customer's timezones and I would like to create the alert based on their local business hours. So if the time is between these local business hours, send the alert. The timezone codes are all the standardized notation that Splunk (python) supports but it seems like trying to convert the timezone code to epoch time doesnt work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi BP9906,
try this run everywhere command:
index=_internal | head 1 | eval AKDT="-8h" | eval CEST="+2h" | eval foo=relative_time(now(), AKDT ) | eval boo=relative_time(now(), CEST ) | eval foo=strftime(foo, "%Y-%m-%d %H:%M:%S.%3N" ) | eval boo=strftime(boo, "%Y-%m-%d %H:%M:%S.%3N" ) | table foo boo
the times for foo and boo are in AKDT (Alaska Daylight Time) and CEST (Central European Summer Time). As you can see I had to eval them first and then use them with relative_time.
To take this one step further, you could setup some automatic lookup containing all TZ and use them to do your time calculations.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Might not be what you're looking for, but you can change the time zone your Splunk user is in to make Splunk display all times appropriately.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
