Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timezone- Could you please help me convert all the values to a standard  timezone(UTC)?

ranjithan
Path Finder
‎10-23-2022 07:27 AM

Hi Community,

Please help me..

I have a field Expiration with values having different timezones . Could you please help me convert all the values to a standard  timezone(UTC).  Any help would be appreciated.  Thanks in advance

Expiration

18:02:56 EDT Oct 5 2022
12:02:56 CDT Oct 5 2022
13:02:56 EDT Oct 5 2022
18:02:56 CDT Oct 5 2022
18:59:59 EST Nov 15 2022
19:59:59 EDT Oct 5 2022
17:02:56 UTC Oct 5 2022
18:59:59 CDT Oct 5 2022
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-23-2022 08:41 AM

Thank you so much   .    Also I just realised that using   %Z  with strptime automatically converts to epoch time from any time zone and this also can  standardise the time    for time calculations.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 11:31 PM

HI @ranjithan,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-24-2022 02:56 AM

Thanks again for your help! 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...