Solved: Convert timestamp from BST to EDT

davidcraven02 · ‎06-13-2018

My approach was to subtract 5 hours (18000 seconds) from the timestamp but when using the below line I get no results.

| eval timestamp =  timestamp - 18000

Full Query without subtraction

index=duo extracted_eventtype=authentication integration="Microsoft RDP" username=*
| eval Time=strftime(timestamp, "%H:%M") 
| eval day=strftime(timestamp, "%Y-%m-%d") 
| stats earliest(Time) by day, username  
| rename earliest(Time) as LogonTime 
| table username, day, LogonTime  
| sort username

I included the timestamp in the table to show its format.

renjith_nair · ‎06-13-2018

Try the substraction with the original time fields "_time" or convert it using strptime

     | eval BST_Time= _time - 18000

or use the relative_time function

|eval BST_Time=relative_time(_time,"-5h")

Happy Splunking!

View solution in original post

renjith_nair · ‎06-13-2018

Try the substraction with the original time fields "_time" or convert it using strptime

     | eval BST_Time= _time - 18000

or use the relative_time function

|eval BST_Time=relative_time(_time,"-5h")

Happy Splunking!

davidcraven02 · ‎06-13-2018

Thank you this worked.

Convert timestamp from BST to EDT

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms