Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for data for a specific day in GMT format

louisphilippela
New Member
‎07-05-2018 05:41 AM

I need to create a summary report of KPIs which are created by machines in 3 different timezones. My search head is in one timezone, so searching for yesterday on my search head will not get me the yesterday of all 3 different timezones, it will be shifted by couple hours.

How to tell Splunk I want to search for a specific day, but in GMT format, i.e. I want to search everything that happened on 2018-07-05 , regardless if it is PST, -0800 or EDT -0500.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎07-05-2018 08:49 AM

So with the assumption that time is being extracted from your log entries and not being assigned automagically. And that your logs are written in the local time zone you can set your time picker wide enough to cover the day over all time zones, and use default extracted date time fields like date_mday to get down to only the desired day.

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usedefaultfields

something like:

index=foo_* sourcetype=bar earliest=-2d@d latest=now 
| where date_mday=strftime(relative_time(now(),"-d@d"),"%d")

Now if your data does not have these fields or your data is recorded in UTC and not the local time zone, then you still want to search for a wide enough time range and you'd need some other method to looking up the offset of each group of hosts, and eliminating data that is not yesterday for those hosts.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-05-2018 08:55 AM

Go go Your Login/Name -> Preferences -> Time zone and set it to GMT and save. Logout and login and now all of your Timepicker selections (e.g. Yesterday) are normalized to GMT, including scheduled searches (until you change your Time zone value again). You might create a special user called userGMT that is only used for this type of reporting.

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎07-05-2018 08:49 AM

So with the assumption that time is being extracted from your log entries and not being assigned automagically. And that your logs are written in the local time zone you can set your time picker wide enough to cover the day over all time zones, and use default extracted date time fields like date_mday to get down to only the desired day.

https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usedefaultfields

something like:

index=foo_* sourcetype=bar earliest=-2d@d latest=now 
| where date_mday=strftime(relative_time(now(),"-d@d"),"%d")

Now if your data does not have these fields or your data is recorded in UTC and not the local time zone, then you still want to search for a wide enough time range and you'd need some other method to looking up the offset of each group of hosts, and eliminating data that is not yesterday for those hosts.

Reply
Solved! Jump to solution

louisphilippela
New Member
‎07-12-2018 09:20 AM

Thanks!

I think this is the most elegant and versatile way to do it in Splunk.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-05-2018 08:17 AM

Can you post some sample raw logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...