| eval newctime = strptime(origtime,"%Y-%m-%d %T %Z") To be clear, my log's indexed timestamps are processed correctly, but each event additionally has three more date-time fields that are input in UTC, and I would like to output them in local time.Īfter searching for a long time through SplunkBase and the documentation with no results, I believe I've figured out a solution on my own.Īssuming original time field origtime is in format %Y-%m-%d %T and is in UTC (but has no timezone notation in the original string): I had this problem as well I have events that contain multiple time fields, and sometimes I want to sort those events based on, or otherwise display, time fields that are NOT the event's timestamp, and show those times in local time for human consumption. I know this question is old, but it has 27K views, and no verified answer, and is the top SplunkBase result when I search "change timezone at search time," so it seems like it's still relevant. Worse, the method is in essence hardcoding the output expectation for the time zone (PST versus PDT), so the report results will be presenting a time zone that is not actually in effect during half the year. ![]() It will get the wrong answer for a couple of hours each year when the calculation is performed across the hours that the time is changing to and from daylight savings. The method is for display only, not for changing the underlying data. Set the values of myDateFormat and myTzName as desired. It then applies whatever the difference in seconds was to the original time, then formats the result with the local time zone at the end. This takes the relevant time UTC, pretends it is local, then translates it back to UTC. | eval localDisp=strftime(2*_time-strptime(strftime(_time,myDateFormat." ".myTzName),myDateFormat." %Z"),myDateFormat)." ".myTzName | eval TimeDisp=strftime(_time,myDateFormat." %Z") | rename COMMENT as "The above just gets a couple of records for demonstration purposes." %z or %Z but again, depends on your use case.Here's one way. but maybe this isn't a problem for your use case.Īnother option may be to ignore the TZ issue, and just include a time zone indicator in your format string e.g. Now the drawback here is of course everyone who can read this search is running this search with the same Splunk role, so no per-user index filtering is happening at search time here. NOT with | savedsearch "searchName" ), the search will then execute as the owner instead of as the user, and magic, standardized TZs. using in SimpleXML or a ds.savedSearch datasource in Dashboard Studio. When your search is loaded in the dashboard by a reference (e.g. ![]() This report should be shared in app, readable by all roles who should be able to read and execute the searches on the dashboard, owned by a service account who has the correct timezone in their user preference, and configured to be Run As Owner) So a possible way around this, instead of having your search in your dashboard directly, you save the search as a saved report. When I display them in a table they display in whatever the user preference is for timezone. I'm not doing anything complicated right now, I'm just converting a UNIX timestamp with strftime: I feel like there must be some simple way to do this that I just haven't found. The reason for this requirement is that we have several members located globally that have a legitimate/more frequent need to have their own timezone (so we can't ask them to change to Eastern) but the dashboard in question specifically needs to report on issues using Eastern time (they need to look the same for everyone). essentially the requirement I have is to display a timestamp in a Splunk dashboard in a specific timezone, regardless of what user preferences people have configured. I spent a fair amount of time perusing Google and Splunk Answers but couldn't seem to find a solution that made sense.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |