Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to show local time of the device of that area?

kiran331
Builder
‎04-24-2017 12:39 PM

Hi

I have a data source with device name and timestamp in UTC and gmtoffset values, I need to show the new field with local timestamp showing the local times of that device, can I do it using Splunk query?

base search... | table READER  time_UTC gmtoffset

eg: 

  READER      time_UTC                     gmtoffset
  CA_123      2016-10-01 06:04:51.0        -300
Tags (3)
0 Karma
Reply

DalJeanis
Legend
‎04-24-2017 03:31 PM

This really ought to be a primitive in splunk, like an optional third parameter on strftime. Unfortunately, doing it accurately requires an immense infrastructture, such as an implementation of the The IANA/Olson Time Zone Database (see http://stackoverflow.com/tags/timezone/info and/or https://www.iana.org/time-zones for discussion.)

Here's one way:

index=_internal | head 2 | table _time 
| rename COMMENT as "The above just gets a couple of records for demonstration purposes."

| eval myDateFormat="%Y-%m-%d %H:%M:%S.%3Q"
| eval TimeDisp=strftime(_time,myDateFormat." %Z")
| eval myTzName = "PST"
| eval localDisp=strftime(2*_time-strptime(strftime(_time,myDateFormat." ".myTzName),myDateFormat." %Z"),myDateFormat)." ".myTzName

This takes the relevant time UTC, pretends it is PST, then translates it back to UTC. It then applies whatever the difference in seconds was to the original time, then formats the result with the time zone at the end. Set the values of myDateFormat and myTzName as desired.

This method is for display only, not for changing the underlying data. It will get the wrong answer for a couple of hours each year when the calculation is performed across the hours that the time is changing to and from daylight savings. Worse, the method is in essence hardcoding the output expectation for the time zone (PST versus PDT), so the report results will be presenting a time zone that is not actually in effect during half the year.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 01:48 PM

Perhaps this will get you started in the right direction. It does not account for daylight saving/summer time. If you need that then consider a custom command.

... | eval UTCepoch=strptime(time_UTC, "%Y-%m-%d %H:%M:%S.%N")| eval localEpoch=UTCtime + (gmtoffset*60) | eval time_local=strftime(localEpoch, "%Y%m%d %H:%M:%D")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...