16 Nov 2023 11:26 AM
Hi,
For my customer we have the scenario where they are spanning multiple timezones, e.g. GMT+1 and GMT+4:30.
In splunk each user can setup their preferred timezone: https://docs.splunk.com/Documentation/UBA/5.3.0/User/Profile
That allows them to have an uniform view of all the data, typically UTC.
In DQL we can do a formatTimestamp to work around it - but I found no way to reliably use formatTimestamp and have it output UTC. In theory we can do it with parsing & then re-formatting it but that is cumbersome to add to every single query. Can we do this with formatTimestamp? (In Java you can also define the zone you want, I don't see that option here).
Solved! Go to Solution.
16 Nov 2023 11:42 AM
Hi @eduard_van_der1,
I don't know if this can help you. But for example to position myself in GMT+2, I use this filter in DQL:
fetch logs,from:toTimestamp("T00:00:00+2")
let me know if this suits you 🙂