Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

converting time to utc with "%Y-%m-%dT%H:%M:%S.%3fZ format

dtakacssplunk
Explorer
‎01-29-2018 06:14 PM

Hello I'm trying to convert an epoach time to the UTC time. I tried the following:

e.g. pageStartTime = 1517275826849
eval pageStartTimeDateTime=strftime(pageStartTime/1000, "%Y-%m-%dT%H:%M:%S.%f%Z") => 2018-01-29T17:30:26.849000PST
eval pageStartTimeDateTime2=strftime((pageStartTime)/1000, "%Y-%m-%dT%H:%M:%S.%3f%z") => 2018-01-29T17:30:26.849-0800

Note both have timezone qualifier which I do not want I want to have it in UTC.

How do I convert it so that the timestamp is something like this (utc time):
e.g . 1517275826849 => 2018-01-30T01:30:26.849Z

Tags (1)
0 Karma
Reply

nabeel652
Builder
‎01-30-2018 05:03 PM

Try this:

| stats count | fields - count | eval PageStartTime = 1517360016 | eval offset = tonumber(strftime(now(),"%z"))/100*3600 | eval PageStartTimeUTC = PageStartTime - offset | eval PageStartTimeUTC = strftime(PageStartTimeUTC,"%d/%m/%Y %H:%M:%S")

Explanation: PageStartTime is given a test value. offset is calculated by getting current user's timezone offset - converting it in seconds and subtracting it from the current time. If you're in a negative time zone subtraction will be converted to addition as a - (-b) = a + b. So the last PageStartTimeUTC shows the time in UTC

0 Karma
Reply

493669
Super Champion
‎01-29-2018 07:11 PM

Hi @dtakacssplunk,
Try this run anywhere search:

| makeresults |eval pageStartTime = "1517281593"|eval pageStartTimeDateTime=strftime(pageStartTime, "%Y-%m-%dT%H:%M:%S.%f%Z"), 
to_tz="UTC",from_tz="PST",
   from_t=strptime(strftime(pageStartTime, "%c.%6N " . from_tz), "%c.%6N %Z"),
   to_t=strptime(strftime(pageStartTime, "%c.%6N " . to_tz), "%c.%6N %Z"),
   offset=round((from_t-to_t)/60/60),
   converted=strftime(pageStartTime + (from_t-to_t), "%c")

Here PST time is converted into UTC

0 Karma
Reply

dtakacssplunk
Explorer
‎01-30-2018 03:07 PM

Thanks! is there any simpler way to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...