I know this question is old, but it has 27K views, and no verified answer, and is the top SplunkBase result when I search "change timezone at search time," so it seems like it's still relevant.
I had this problem as well; I have events that contain multiple time fields, and sometimes I want to sort those events based on, or otherwise display, time fields that are NOT the event's timestamp, and show those times in local time for human consumption. To be clear, my log's indexed timestamps are processed correctly, but each event additionally has three more date-time fields that are input in UTC, and I would like to output them in local time.
After searching for a long time through SplunkBase and the documentation with no results, I believe I've figured out a solution on my own.
Assuming original time field origtime is in format %Y-%m-%d %T and is in UTC (but has no timezone notation in the original string):
| replace * with "* UTC" in origtime
| eval newctime = strptime(origtime,"%Y-%m-%d %T %Z")
| eval newstrtime = strftime(newctime,"%Y-%m-%d %T")
If your original timestamp fields are in some other timezone, just change "UTC" to whatever your timezone value is.
Output (reports) can now use newstrtime as human-readable localized time; for machine-readable purposes (like sorting or timecharts) you can use newctime .
Maybe better Splunkers can make a more elegant set of commands, but this appears to work for me.
... View more