Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time conversion from UST to EST in search results

vn86893
Explorer
‎04-11-2019 10:39 AM

Hello Team,

I am facing this issue where my logs are written in EST and the time stamp on the log is UST ( Lets say the log is written at 6PM EST and the time stamp in the log is 11PM). I am searching the logs in EST time zone. 2019-04-06 22:59:45.3711 is the timestamp format on the LOG

So the log written at 6PM EST having time stamp at 11pm isn't showing up in search until 11pm EST. I am not sure how to fix this thing. Any help is greatly appreciated.

I changed the time zone in my account to Eastern.

Tags (1)
0 Karma
Reply

dmarling
Builder
‎04-12-2019 02:02 PM

This won't fix the root cause of the problem that @somesoni2 mentioned, which is that you the sourcetype is not setup with an offset as explained in the documentation, but it can make the _time appear accurately as a search time work around. This can be used to show results from the last hour

Search with UCT earliest=now latest=+4h
| eval _time=strptime(strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")."UCT", "%Y-%m-%dT%H:%M:%S.%3N%Z")
| where _time>relative_time(now(), "-1h") AND _time<now()
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2019 02:04 PM

You would need to setup timestamp parsing for your log (sourcetype) so that Splunk knows that logged timestamp is in UST (GMT/UTC).
https://docs.splunk.com/Documentation/Splunk/7.2.5/Data/Configuretimestamprecognition

If you could you update your logging format to include the timezone it's logging, it'll resolve the issue (without any timestamp parsing configuration, thought they are recommended). If you can't update the logging format, then you've to setup those time parsing configuration, including TZ=UTC attribute)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...