How do I parse the this timestamp: 2017/07/25 12:1...

andrewtrobec · ‎08-03-2017

Hello All,

I've been trying to figure out how to parse the timestamp 2017/07/25 12:14:53,849 Europe/San_Marino so that it recognizes the timezone as well. This is not the timestamp being used as the _time value associated to the event, which is also happens to be in the same format (it's is configured in props.conf as TZ = Europe/San_Marino).

I've gone as far as eval timestamp=strptime(timestamp, "%Y/%m/%d %H:%M:%S,%f") but I can't figure out the last bit since %Z expects a UTC offset which I don't have. I've considered just adding +01:00 to the result, but I'm not sure whether that will account for daylight savings...

Any help would be greatly appreciated!

Best regards,

Andrew

cpetterborg · ‎08-03-2017

Are your servers in that same timezone (Europe/San_Marino)? Probably not too important, but if they are, you don't need to look at the timezone. So I suspect you are in a situation where that is not the case.

Is the TZ (Europe/San_Marino) in the events? According to https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, that is a valid TZ string value.

If you answer to the last question is yes, then your time format should probably be something like:

%Y/%m/%d %H:%M:%S,%N %Z

%z is the offset, while %Z is the TZ string value. See:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Applytimezoneoffsetstotimestamps

andrewtrobec · ‎08-03-2017

I need to be able to parse the timezone specified in the field so that I can convert the timestamp to UTC.

Using %Z doesn't seem to work. Would it be able to parse Europe/San_Marino? The documentation here states that %Z is "The timezone abbreviation. For example EST for US Eastern Standard Time". Maybe it's expecting CET or CEST rather than Europe/San_Marino. If I parse CET, do you think it would recognize in July that it should be CEST?

Regards,

Andrew

DalJeanis · ‎08-04-2017

Yes, the code I posted above worked exactly as posted. %Z properly translates both the short and long TZ codes. (At least on my system.)

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

DalJeanis · ‎08-03-2017

Correct. Daylight savings is currently in force, so it's UTC +2.00

RUn anywhere proof:

| makeresults 
| eval mytime="2017/07/25 12:14:53,849 Europe/San_Marino" 
| eval timestamp=strptime(mytime, "%Y/%m/%d %H:%M:%S,%f %Z") 
| eval mytime2=strftime(timestamp,"%Y/%m/%d %H:%M:%S,%f")

andrewtrobec · ‎08-03-2017

I've tried running this search, but it doesn't work: in particular it doesn't parse the %Z. If I remove it then timestamp and mytime2 are returned, but those will be with my system timezone rather than Europe/San_Marino.

Regards,

Andrew

DalJeanis · ‎08-04-2017

Wait - you've tried to run the run-anywhere search I posted above? And it didn't work?

That's run-anywhere code, and it doesn't use any recently added commands. Copy and paste on any splunk system, it should work. If your system is up-to-date, it can't fail.

That probably means you have an out-of-date, missing or corrupted zoneinfo (TZ) database file somewhere.

From this page ... http://docs.splunk.com/Documentation/Splunk/latest/Data/ApplyTimezoneOffsetsToTimeStamps#zoneinfo_.2...

• UNIX versions of Splunk software rely on a TZ database included with the UNIX distribution you're running on. Most UNIX distributions store the database in the directory: /usr/share/zoneinfo.
• Solaris versions of Splunk software store TZ information in this directory: /usr/share/lib/zoneinfo.
• Windows versions of Splunk software ship with a copy of the TZ database.

alemarzu · ‎08-03-2017

Hi there, did you try %:z ?

DalJeanis · ‎08-03-2017

@alemarzu, @andrewtrobec - as per @cpetterborg's comment, it's capital z : %Z.

How do I parse the this timestamp: 2017/07/25 12:14:53,849 Europe/San_Marino?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!