Hello All,
I've been trying to figure out how to parse the timestamp 2017/07/25 12:14:53,849 Europe/San_Marino
so that it recognizes the timezone as well. This is not the timestamp being used as the _time
value associated to the event, which is also happens to be in the same format (it's is configured in props.conf
as TZ = Europe/San_Marino
).
I've gone as far as eval timestamp=strptime(timestamp, "%Y/%m/%d %H:%M:%S,%f")
but I can't figure out the last bit since %Z
expects a UTC offset which I don't have. I've considered just adding +01:00
to the result, but I'm not sure whether that will account for daylight savings...
Any help would be greatly appreciated!
Best regards,
Andrew
Are your servers in that same timezone (Europe/San_Marino)? Probably not too important, but if they are, you don't need to look at the timezone. So I suspect you are in a situation where that is not the case.
Is the TZ (Europe/San_Marino) in the events? According to https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, that is a valid TZ string value.
If you answer to the last question is yes, then your time format should probably be something like:
%Y/%m/%d %H:%M:%S,%N %Z
%z is the offset, while %Z is the TZ string value. See:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps
I need to be able to parse the timezone specified in the field so that I can convert the timestamp to UTC.
Using %Z
doesn't seem to work. Would it be able to parse Europe/San_Marino
? The documentation here states that %Z is "The timezone abbreviation. For example EST for US Eastern Standard Time". Maybe it's expecting CET
or CEST
rather than Europe/San_Marino
. If I parse CET
, do you think it would recognize in July that it should be CEST
?
Regards,
Andrew
Yes, the code I posted above worked exactly as posted. %Z properly translates both the short and long TZ codes. (At least on my system.)
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Correct. Daylight savings is currently in force, so it's UTC +2.00
RUn anywhere proof:
| makeresults
| eval mytime="2017/07/25 12:14:53,849 Europe/San_Marino"
| eval timestamp=strptime(mytime, "%Y/%m/%d %H:%M:%S,%f %Z")
| eval mytime2=strftime(timestamp,"%Y/%m/%d %H:%M:%S,%f")
I've tried running this search, but it doesn't work: in particular it doesn't parse the %Z
. If I remove it then timestamp
and mytime2
are returned, but those will be with my system timezone rather than Europe/San_Marino
.
Regards,
Andrew
Wait - you've tried to run the run-anywhere search I posted above? And it didn't work?
That's run-anywhere code, and it doesn't use any recently added commands. Copy and paste on any splunk system, it should work. If your system is up-to-date, it can't fail.
That probably means you have an out-of-date, missing or corrupted zoneinfo (TZ) database file somewhere.
From this page ... http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps#zoneinfo_.2...
• UNIX versions of Splunk software rely on a TZ database included with the UNIX distribution you're running on. Most UNIX distributions store the database in the directory: /usr/share/zoneinfo.
• Solaris versions of Splunk software store TZ information in this directory: /usr/share/lib/zoneinfo.
• Windows versions of Splunk software ship with a copy of the TZ database.
Hi there, did you try %:z
?
@alemarzu, @andrewtrobec - as per @cpetterborg's comment, it's capital z : %Z.