You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time.). However final result displayed will be based on Splunk Server time or User Settings. So if that suffices your need, instead of changing the timezone of the extracted field, you can modify the same through Logged in user's Account Settings in Splunk.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
Option 1
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -500"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %z"),"%Y/%m/%d %H:%M:%S %z") |
Option 2
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -EST"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z") |
Option 3
Account Settings in Splunk to change Global Timezone to EST.
You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time.). However final result displayed will be based on Splunk Server time or User Settings. So if that suffices your need, instead of changing the timezone of the extracted field, you can modify the same through Logged in user's Account Settings in Splunk.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
Option 1
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -500"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %z"),"%Y/%m/%d %H:%M:%S %z") |
Option 2
| makeresults | eval Time="20161222221600" | eval TimeZone=Time+" -EST"| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z") |
Option 3
Account Settings in Splunk to change Global Timezone to EST.
No, I want to convert a field value logged as UTC to EST at search time. For example following is the log information:
Time: 12/22/16 5:42:00.000 PM
Last_accessed_at: 20161222221600 ( I want to convert to EST)
You sample time does not have UTC identifier, so if you are seeing timezone in search in UTC that implies your Splunk server is running at UTC time or else your logged in User Account is set to UTC.
If you change logged in User Account settings to EST you will see FormatTime in EST while the TimeZone time is in GMT. Can you please run the following search in your Splunk Search and confirm the results for TimeZone and FormatTime?
| makeresults
| eval Time="20161222091100"
| eval TimeZone=Time+" GMT"
| eval FormatTime=strftime(strptime(TimeZone,"%Y%m%d%H%M%S %Z"),"%Y/%m/%d %H:%M:%S %Z")
| table TimeZone FormatTime
I tried this but seems this is not working.
I want to convert BST to EST please.
| eval BST=strftime(TransactTime/1000000000, "%d/%m/%y %H:%M:%S %Z" )
| eval TimeZone=BST+" -EST"
| eval ET=strftime(strptime(TimeZone,"%d/%m/%y %H:%M:%S %Z"),"%d/%m/%y %H:%M:%S %Z")
| table BST, ET
FormatTime - 2016/12/22 04:11:00 EST
TimeZone - 20161222091100 GMT
Is this not what you want? 09:11:00 GMT converted to 04:11:00 EST?
Exactly! Thank you!
Are you trying to display the timestamp from UTC to EST in the Splunk Web interface when a user performs a search? If so, you can adjust the timezone setting for a user's search results by adjusting their user settings.
No, I want to convert a field value logged as UTC to EST. For example following is the log information:
Time: 12/22/16 5:42:00.000 PM
Last_accessed_at: 20161222221600 ( I want to convert to EST)
Thank you!