Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timezone- Could you please help me convert all the values to a standard  timezone(UTC)?

ranjithan
Path Finder
‎10-23-2022 07:27 AM

Hi Community,

Please help me..

I have a field Expiration with values having different timezones . Could you please help me convert all the values to a standard  timezone(UTC).  Any help would be appreciated.  Thanks in advance

Expiration

18:02:56 EDT Oct 5 2022
12:02:56 CDT Oct 5 2022
13:02:56 EDT Oct 5 2022
18:02:56 CDT Oct 5 2022
18:59:59 EST Nov 15 2022
19:59:59 EDT Oct 5 2022
17:02:56 UTC Oct 5 2022
18:59:59 CDT Oct 5 2022
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 07:44 AM

Hi @ranjithan,

you could extract the timezone from the field and then put in a lookup the convertion factor.

so create a lookup called timezone_convertion_factor.csv with two columns: timezone, convertion_factor like the following (in the real case, obviously put all the values that you can find in many sites as https://en.wikipedia.org/wiki/List_of_tz_database_time_zones😞

 

timezone convertion_factor
EDT -5
CDT -6
EST -5
UTC 0

 

 you could run something like this:

 

<your_search>
| eval timezone=strftime(Expiration,"%Z")
| lookup timezone_convertion_factor.csv timezone OUTPUT convertion_factor
| eval Expitarion_UTC=Expitarion+convertion_factor*3600
| table Expitarion_UTC

 

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-23-2022 08:41 AM

Thank you so much   .    Also I just realised that using   %Z  with strptime automatically converts to epoch time from any time zone and this also can  standardise the time    for time calculations.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-23-2022 11:31 PM

HI @ranjithan,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

ranjithan
Path Finder
‎10-24-2022 02:56 AM

Thanks again for your help! 

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...