- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for data for a specific day in GMT f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to create a summary report of KPIs which are created by machines in 3 different timezones. My search head is in one timezone, so searching for yesterday on my search head will not get me the yesterday of all 3 different timezones, it will be shifted by couple hours.
How to tell Splunk I want to search for a specific day, but in GMT format, i.e. I want to search everything that happened on 2018-07-05 , regardless if it is PST, -0800 or EDT -0500.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So with the assumption that time is being extracted from your log entries and not being assigned automagically. And that your logs are written in the local time zone you can set your time picker wide enough to cover the day over all time zones, and use default extracted date time fields like date_mday to get down to only the desired day.
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usedefaultfields
something like:
index=foo_* sourcetype=bar earliest=-2d@d latest=now
| where date_mday=strftime(relative_time(now(),"-d@d"),"%d")
Now if your data does not have these fields or your data is recorded in UTC and not the local time zone, then you still want to search for a wide enough time range and you'd need some other method to looking up the offset of each group of hosts, and eliminating data that is not yesterday for those hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go go Your Login/Name -> Preferences -> Time zone and set it to GMT and save. Logout and login and now all of your Timepicker selections (e.g. Yesterday) are normalized to GMT, including scheduled searches (until you change your Time zone value again). You might create a special user called userGMT that is only used for this type of reporting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So with the assumption that time is being extracted from your log entries and not being assigned automagically. And that your logs are written in the local time zone you can set your time picker wide enough to cover the day over all time zones, and use default extracted date time fields like date_mday to get down to only the desired day.
https://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usedefaultfields
something like:
index=foo_* sourcetype=bar earliest=-2d@d latest=now
| where date_mday=strftime(relative_time(now(),"-d@d"),"%d")
Now if your data does not have these fields or your data is recorded in UTC and not the local time zone, then you still want to search for a wide enough time range and you'd need some other method to looking up the offset of each group of hosts, and eliminating data that is not yesterday for those hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
I think this is the most elegant and versatile way to do it in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sample raw logs?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
