Solved: How can we convert a time from EST to UTC in Splun...

danielbb · ‎08-06-2019

A user tells us -

-- I need to convert time value from EST to UTC in Splunk search. Is there any function available to do this?

The user tried -

index=* 
| head 5 
| eval mytime=strftime(relative_time(_time, "+2d@d"),"%d/%b/%Y") 
| eval duedate=strftime(relative_time(_time, "+2d@d"),"%Y-%m-%dT%H:%M:%S+%Q") 
| eval eventtime= strftime(_time,"%Y-%m-%dT%H:%M:%S.0+0000") | eval utc_time =strftime(relative_time(_time, "+4h"), "%Y-%m-%dT%H:%M:%S.0+0000")
| table _time, host, duedate, eventtime, utc_time

danielbb · ‎08-07-2019

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

View solution in original post

danielbb · ‎08-07-2019

They had to send the time to Jira as a UTC timestamp.

We ended up doing -

| eval TimeZone=_time+" EST" | eval estFormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%Z") 
| eval FormatTime=strftime(strptime(TimeZone,"%s.%Q %Z"),"%Y-%m-%dT%H:%M:%S.000%z")

Flipping between %Z, hard-coded as EST to lower z, %z, which gives the TZ difference in hours, such as -4:00, etc.

Based on @niketnilay response at How to convert date and time in UTC to EST?

niketn · ‎08-07-2019

@danielbb Glad you found the solution useful, by trapping the timezone you can perform a lot of mathematical conversions as well as per your needs. Do up-vote the original post if you found the answer useful.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

danielbb · ‎08-08-2019

Thank you @niketnilay!

richgalloway · ‎08-07-2019

Why is the user trying to convert time zones? What problem is he trying to solve?
If he just wants to see events in UTC then he just needs to change his profile.

---
If this reply helps you, Karma would be appreciated.

danielbb · ‎08-06-2019

I'm trying something like -

| makeresults | eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval time_in_london=strftime(epoch,"%a %B %d %Y %H:%M:%S.%N UTC")
| table Time epoch time_in_london

Meaning, for time_in_london, I'm trying to hardcode UTC without much luck.

danielbb · ‎08-06-2019

One way to determine the time difference between two time zones is to take any date and treat is as a UTC time stamp and as an EST one and subtract their corresponding epoch times.

| makeresults 

| eval Time="Mon July 23 2018 17:19:01.89 UTC" 
| eval epoch_utc=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")

| eval Time="Mon July 23 2018 17:19:01.89 EST" 
| eval epoch_est=strptime(Time,"%a %B %d %Y %H:%M:%S.%N %Z")
| eval diff = (epoch_utc-epoch_est)/60/60

| table epoch_utc, epoch_est, diff

That shows the desired five but there might be a better way...

How can we convert a time from EST to UTC in Splunk search?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life