Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Convert from epoch returns wrong timezone?

peterson_wwt
New Member
‎03-28-2019 02:35 PM

Epoch/Unix times are always in UTC.

When I use convert to create a human readable time, the timezone ( %Z ) is somehow incorrect for some sourcetypes but correct for others.

I realize the timezone on those sourcetypes may be incorrect, but then the epoch time should reflect that.

example 

 <base search>
| stats latest(_time) as latest_epoch earliest(_time) as earliest_epoch by sourcetype
| convert timeformat="%x %X %Z" ctime(latest_epoch) AS latest_human
| convert timeformat="%x %X %Z" ctime(earliest_epoch) AS earliest_human

This results in 

   sourcetype      latest_epoch      earliest_epoch    earliest_human            latest_human
1  sourcetypeA     1553733248.762    1553718850.771    03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
2  sourcetypeB     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT
3  sourcetypeC     1553733253        1553733253        03/27/19 18:34:13 MDT     03/27/19 18:34:13 MDT
4  sourcetypeD     1553733250        1553718190.756    03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT
5  sourcetypeE     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT

As you can see rows 2,3 & 5 are correct. Rows 1 and 4 are not. However all rows have essentially the same epoch time.

Epoch time is always in GMT, so why is it being converted to two different timezones yet also claiming to be MDT.

What gives?

Tags (3)
0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:40 PM

What makes you think the timezones are wrong?

Lines 1 & 4 have an earliest epoch time ~15000 seconds (or about 4.25 hours) earlier than their latest epoch time:

1  sourcetypeA     1553733248.762    1553718850.771       03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
4  sourcetypeD     1553733250        1553718190.756       03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT

Those seem to be perfectly fine to me.

Sidebar - hadn't run into anyone using convert before: I've always used | eval timefield=strftime(epochfield,"<format>") (and most often use "%c" as my time formatter)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...