Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert "_internal" field "date_zone" to time zone?

tlmayes
Contributor
‎01-22-2017 03:51 PM

I am trying to convert the field "date_zone" reported by our Universal Forwarders (UF) in "index=_internal" from +0900 to KRW. Everything I have tried returns my account's local time zone (TZ). The time and date_zone in the event are accurate for our Korea UFs (and other geo locations) but the conversion attempts always return the local zone. I can search for the field date_zone all day, and works fine every time. Changes to my time zone when I try to convert from %z to %Z

We have hundreds of UFs spread across many TZ's and need to monitor and report that they are and continue to have their TZ offset set properly but am trying to make it more friendly to read (KRW is more meaningful than +0900)

0 Karma
Reply

woodcock
Esteemed Legend
‎03-05-2017 01:01 AM

In your search add this near the end:

... | eval date_zone=if((date_zone="+0900", "KRW", date_zone)
0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-22-2017 06:10 PM

Hi Timayes,

date_time does not reflect your local time, but is the value of time/date directly from the raw events.
To determine the time of your server:
1. In Account Settings, set Time Zone to Default System Timezone
2. Run a search over the last 15 minutes
3. Read the event timestamps and compare with your local time

Hope this helps. Thanks!
Hunter

0 Karma
Reply

tlmayes
Contributor
‎01-22-2017 07:14 PM

Thanks hunters. Maybe I mis-represented. I understand, and stated as much, that date_time, date_hour, date_zone, date_* reflects the remote host, but what I am trying to do is convert to human readable TZ vice the offset. Everything that I have tried converts the REMOTE date_time to my LOCAL TZ using the date_time of a remote host.

I can compare time stamps visually, but that is not what I am looking for. I am trying to create a report/dashboard of all of my remote TZ's (derived from date_zone of each UF) and compare them with the FQDN of each UF. Thanks for the response though.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...