Hello everyone!
In my company, we have Splunk (version 6.0) recording log information about data sent by remote devices (surveillance cameras) to our server.
Both our servers and the cameras are configured to send and record data with UTC timestamps. All the times shown in the log messages (the ones that are recorded by Splunk) are in UTC. Splunk's _time is UTC... Everything UTC! Yay!
BUT... when I perform a search, the times are converted to US/Eastern, which is MY timezone. Is there a way to force (through the Search string, not altering Splunk's configuration files or the user settings) the times to be displayed in UTC?
Let me show you an example:
Let's say the log message shows something like:
hostname=server01 server_time=2015-03-27_16:19:00 Time mismatch error: camera_time=1970-01-01_11:00:00 sent by camera_id='123foo' is out of date.
I know for a fact that both server_time and camera_time on the message above are in UTC. But when I run a search to show a table with all the cameras that have outdated timestamps, that time is converted to my timezone (US/Eastern).
hostname=server* earliest=-24h "Time mismatch error" | sort -_time | dedup 1 camera_id | eval server_time=strptime(server_time, "%Y-%m-%d_%H:%M:%S") | eval camera_time=strptime(camera_time, "%Y-%m-%d_%H:%M:%S") | eval server_time=strftime(server_time,"%Y-%m-%d %T %Z") | eval camera_time=strftime(camera_time,"%Y-%m-%d %T %Z") | table camera_id server_time camera_time
Shows:
+--------------+-------------------------+-------------------------+
| camera_id | server_time | camera_time |
+--------------+-------------------------+-------------------------+
| 123foo | 2015-03-27 12:19:00 EDT | 1970-01-01 06:00:00 EST |
+--------------+-------------------------+-------------------------+
I'd like to keep the two time values in UTC, if possible, not applying the -5.00 (or -4.00 now that the East coast is in Daylight Savings Time) hours correction through... something in the search string, so my table would look something like:
+--------------+-------------------------+-------------------------+
| camera_id | server_time | camera_time |
+--------------+-------------------------+-------------------------+
| 123foo | 2015-03-27 16:19:00 UTC | 1970-01-01 11:00:00 UTC |
+--------------+-------------------------+-------------------------+
The most "desperate" thing I've tried is "fooling" strptime to "artifically" stick a UTC string in it:
eval camera_time=strptime(strftime(strptime(camera_time, "%Y-%m-%d_%H:%M:%S"), "%Y-%m-%d_%H:%M:%S UTC") "%Y-%m-%d_%H:%M:%S %Z")
Read as: Get the camera_time , make a date out of it using strptime , then convert that back to an string but ending it with 'UTC' this time, and make a date out of that string again.
Didn't work. I still see Eastern in the table.
As I mentioned before I saw this other thread (http://answers.splunk.com/answers/41585/display-time-in-utc.html ) in which the only (and accepted) answer talks about changing the user settings, but I'd like to avoid that. I want to show the times in UTC only for this particular search. Is that possible? It looks like something that should be very doable, since all the Splunk times are UTC, but I haven't been able to figure out how.
Thank you in advance.
... View more