Splunk Search

API: How to specify returning dates with a UTC or GMT offset rather than a CDT time zone?

artrune
Path Finder

How can I specify Splunk to return dates with a UTC or GMT offset rather than a time zone abbreviation?
Right now I get back information like this:

{"preview":false,"offset":31,"result":{"_time":"2019-06-17 17:30:00.000 CDT","Value":"97.038000"}}

I would like to have a UTC offset instead of the time zone abbreviation CDT.

Any clues?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@artrune ,

You can use %z in the time format

Reference : https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Commontimeformatvariables#Time_va...
E.g.

|eval formatted=strftime(_time,"%d-%m-%Y %H:%M:%S %z")
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@artrune ,

You can use %z in the time format

Reference : https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Commontimeformatvariables#Time_va...
E.g.

|eval formatted=strftime(_time,"%d-%m-%Y %H:%M:%S %z")
Happy Splunking!
0 Karma

artrune
Path Finder

Thanks for the answer, this helped alot, However is there a way for _time to assume that value? Because if not it creates an extra variable called formatted that contains the formatted date.
I would like a workaround but if not possible I can live with that.
I will try renaming in the mean time and see what happens

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@artrune , yes you can directly assign the converted values to _time instead of an extra variable ,

|eval _time=strftime(_time,"%d-%m-%Y %H:%M:%S %z")

However, its advised not to change _time, especially if you are using it for any other operation in the search.

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...