Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Convert from epoch returns wrong timezone?

peterson_wwt
New Member
‎03-28-2019 02:35 PM

Epoch/Unix times are always in UTC.

When I use convert to create a human readable time, the timezone ( %Z ) is somehow incorrect for some sourcetypes but correct for others.

I realize the timezone on those sourcetypes may be incorrect, but then the epoch time should reflect that.

example 

 <base search>
| stats latest(_time) as latest_epoch earliest(_time) as earliest_epoch by sourcetype
| convert timeformat="%x %X %Z" ctime(latest_epoch) AS latest_human
| convert timeformat="%x %X %Z" ctime(earliest_epoch) AS earliest_human

This results in 

   sourcetype      latest_epoch      earliest_epoch    earliest_human            latest_human
1  sourcetypeA     1553733248.762    1553718850.771    03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
2  sourcetypeB     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT
3  sourcetypeC     1553733253        1553733253        03/27/19 18:34:13 MDT     03/27/19 18:34:13 MDT
4  sourcetypeD     1553733250        1553718190.756    03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT
5  sourcetypeE     1553733250        1553733250        03/27/19 18:34:10 MDT     03/27/19 18:34:10 MDT

As you can see rows 2,3 & 5 are correct. Rows 1 and 4 are not. However all rows have essentially the same epoch time.

Epoch time is always in GMT, so why is it being converted to two different timezones yet also claiming to be MDT.

What gives?

Tags (3)
0 Karma
Reply

wmyersas
Builder
‎10-17-2019 12:40 PM

What makes you think the timezones are wrong?

Lines 1 & 4 have an earliest epoch time ~15000 seconds (or about 4.25 hours) earlier than their latest epoch time:

1  sourcetypeA     1553733248.762    1553718850.771       03/27/19 14:34:10 MDT     03/27/19 18:34:08 MDT
4  sourcetypeD     1553733250        1553718190.756       03/27/19 14:23:10 MDT     03/27/19 18:34:10 MDT

Those seem to be perfectly fine to me.

Sidebar - hadn't run into anyone using convert before: I've always used | eval timefield=strftime(epochfield,"<format>") (and most often use "%c" as my time formatter)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...