Let's say something happened at noon eastern time (-4:00). Your solution simply changes the time, then displays this incorrect time in the "local" timezone so it appears correct. I too am attempting to view a report and have the times show up in a different time zone. Maybe better Splunkers can make a more elegant set of commands, but this appears to work for me. Output (reports) can now use newstrtime as human-readable localized time for machine-readable purposes (like sorting or timecharts) you can use newctime. If your original timestamp fields are in some other timezone, just change "UTC" to whatever your timezone value is. | eval newstrtime = strftime(newctime,"%Y-%m-%d %T") | eval newctime = strptime(origtime,"%Y-%m-%d %T %Z") To be clear, my log's indexed timestamps are processed correctly, but each event additionally has three more date-time fields that are input in UTC, and I would like to output them in local time.Īfter searching for a long time through SplunkBase and the documentation with no results, I believe I've figured out a solution on my own.Īssuming original time field origtime is in format %Y-%m-%d %T and is in UTC (but has no timezone notation in the original string): I had this problem as well I have events that contain multiple time fields, and sometimes I want to sort those events based on, or otherwise display, time fields that are NOT the event's timestamp, and show those times in local time for human consumption. I know this question is old, but it has 27K views, and no verified answer, and is the top SplunkBase result when I search "change timezone at search time," so it seems like it's still relevant. Worse, the method is in essence hardcoding the output expectation for the time zone (PST versus PDT), so the report results will be presenting a time zone that is not actually in effect during half the year. It will get the wrong answer for a couple of hours each year when the calculation is performed across the hours that the time is changing to and from daylight savings. The method is for display only, not for changing the underlying data. Set the values of myDateFormat and myTzName as desired. It then applies whatever the difference in seconds was to the original time, then formats the result with the local time zone at the end. This takes the relevant time UTC, pretends it is local, then translates it back to UTC.
| eval localDisp=strftime(2*_time-strptime(strftime(_time,myDateFormat." ".myTzName),myDateFormat." %Z"),myDateFormat)." ".myTzName | eval TimeDisp=strftime(_time,myDateFormat." %Z") | rename COMMENT as "The above just gets a couple of records for demonstration purposes."
0 kommentar(er)
