Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Convert from epoch returns wrong timezone?

peterson_wwt
New Member
‎03-28-2019 02:35 PM

Epoch/Unix times are always in UTC.

When I use convert to create a human readable time, the timezone ( %Z ) is somehow incorrect for some sourcetypes but correct for others.

I realize the timezone on those sourcetypes may be incorrect, but then the epoch time should reflect that.

example 

 <base search>
| stats latest(_time) as latest_epoch earliest(_time) as earliest_epoch by sourcetype
| convert timeformat="%x %X %Z" ctime(latest_epoch) AS latest_human
| convert timeformat="%x %X %Z" ctime(earliest_epoch) AS earliest_human

This results in 

   sourcetype      latest_epoch      earliest_epoch    earliest_human            latest_human
1  sourcetypeA     1553733248.762    1553718850.771    03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
2  sourcetypeB     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT
3  sourcetypeC     1553733253        1553733253        03/27/19 18:34:13 MDT     03/27/19 18:34:13 MDT
4  sourcetypeD     1553733250        1553718190.756    03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT
5  sourcetypeE     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT

As you can see rows 2,3 & 5 are correct. Rows 1 and 4 are not. However all rows have essentially the same epoch time.

Epoch time is always in GMT, so why is it being converted to two different timezones yet also claiming to be MDT.

What gives?

Tags (3)
0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:40 PM

What makes you think the timezones are wrong?

Lines 1 & 4 have an earliest epoch time ~15000 seconds (or about 4.25 hours) earlier than their latest epoch time:

1  sourcetypeA     1553733248.762    1553718850.771       03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
4  sourcetypeD     1553733250        1553718190.756       03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT

Those seem to be perfectly fine to me.

Sidebar - hadn't run into anyone using convert before: I've always used | eval timefield=strftime(epochfield,"<format>") (and most often use "%c" as my time formatter)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...