I am trying to convert the field "date_zone" reported by our Universal Forwarders (UF) in "index=_internal" from +0900 to KRW. Everything I have tried returns my account's local time zone (TZ). The time and date_zone in the event are accurate for our Korea UFs (and other geo locations) but the conversion attempts always return the local zone. I can search for the field date_zone all day, and works fine every time. Changes to my time zone when I try to convert from %z to %Z
We have hundreds of UFs spread across many TZ's and need to monitor and report that they are and continue to have their TZ offset set properly but am trying to make it more friendly to read (KRW is more meaningful than +0900)
In your search add this near the end:
... | eval date_zone=if((date_zone="+0900", "KRW", date_zone)
Hi Timayes,
date_time does not reflect your local time, but is the value of time/date directly from the raw events.
To determine the time of your server:
1. In Account Settings, set Time Zone to Default System Timezone
2. Run a search over the last 15 minutes
3. Read the event timestamps and compare with your local time
Hope this helps. Thanks!
Hunter
Thanks hunters. Maybe I mis-represented. I understand, and stated as much, that date_time, date_hour, date_zone, date_* reflects the remote host, but what I am trying to do is convert to human readable TZ vice the offset. Everything that I have tried converts the REMOTE date_time to my LOCAL TZ using the date_time of a remote host.
I can compare time stamps visually, but that is not what I am looking for. I am trying to create a report/dashboard of all of my remote TZ's (derived from date_zone of each UF) and compare them with the FQDN of each UF. Thanks for the response though.