All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert timestamps to UTC from Pacific time (ISO 8601 format)?

orion44
Communicator
‎12-11-2018 03:14 PM

My Splunk indexer is operating in the Pacific time zone (can't be changed) and I need to output timestamps in a report to UTC. I currently convert the existing _time to ISO 8601 format time via:
eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S%z")

How I can take it a step further to convert mytime into the UTC timezone?

Tags (1)
0 Karma
Reply

orion44
Communicator
‎12-20-2018 11:06 PM

I was able to convert the PT timestamps to UTC (time_utc) via the following eval:

eval time_splunk=strftime(_time, "%A, %B %e, %Y %l:%M:%S.%3Q %p %Z (%:z)") | eval time_offset=strftime(_time, "%:z") | rex field=time_offset ".(?<time_offset_seconds>\d{2}:\d{2})" | eval time_offset_seconds=time_offset_seconds.":00" | convert dur2sec(time_offset_seconds) | eval time_utc_epoch=strftime(_time, "%s") | convert num(time_utc_epoch) | eval time_utc_epoch=if(time_offset_seconds==0, time_utc_epoch, if(substr(time_offset, 1, 1)=="+", time_utc_epoch-time_offset_seconds, time_utc_epoch+time_offset_seconds)) | eval time_utc=strftime(time_utc_epoch, "%Y-%m-%dT%H:%M:%SZ")

0 Karma
Reply

whrg
Motivator
‎12-12-2018 12:21 AM

Hello @orion44,

First some clarification: When you index a log file, you need to make sure that the indexer/forwarder has the correct system time zone set. Also, you need to make sure that Splunk recognizes the time stamp of the log file. If the log file is not in local time and if the events' timestamps do not contain any time zone information, then the time zone can be manually set for certain log files via props.conf.
Events are then indexed and stored in epoch time (I believe), which is independant from any time zone.
Now when you run a Splunk search on the search head, events are displayed in the time zone set in the user preferences. The same applies for strftime().

I assume your user preferences are set to Pacific time. You could change that to GMT. However, that will affect all searches by your user.

Since _time is an epoch time object, you could try a simple hack like this:

eval mytime=strftime(_time+8*3600,"%Y-%m-%dT%H:%M:%S")

This will get you something like:

_time                 mytime
2018-12-12 00:19:26 2018-12-12T08:19:26
0 Karma
Reply

prakash007
Builder
‎12-11-2018 04:27 PM

You can define your timezone in your props.conf by sourcetype/source/host...this splunk doc should help..
http://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Applytimezoneoffsetstotimestamps#How_Splunk_s...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...