Running a Splunk Search in a Different Time Zone
We had a recent request to create a Splunk alert that runs hourly with a time range of midnight UTC of current date to current time. This sounds like an easy request, but when you look into it it’s a bit more complicated than it seems.
The earliest / latest time modifiers in SPL will take -0d@d to anchor to the start of the current day, but depending on the user that runs the search this will take the user’s TIme Zone setting into account. My user ID on the system is set to EST, so this will be 4 or 5 hours into the UTC day depending on the time of year and if the users time zone follows daylight saving or not.
The initial idea to get around this was to create a local user in Splunk that has its timezone set to UTC and have the saved search run as that user, but that was ultimately rejected as security policy required that all users in the environment are backed by active directory and local users are not allowed.
We pivoted to try and find a SPL search that would accomplish this requirement. Here is how we solved it:
First – how do we get midnight UTC. Let’s start with getting the current date using strftime against the current time and only returning “%Y-%m-%d” (year, month, day):
| makeresults
| eval search=strftime(now(), "%Y-%m-%d")
| table search
This returns:
Now let’s add some text that string to show midnight:
| makeresults
| eval search=strftime(now(), "%Y-%m-%d") + " 00:00:00"
| table search
This shows as so:
Next, let’s add in the UTC timezone (+0000) to the string:
| makeresults
| eval search=strftime(now(), "%Y-%m-%d") + " 00:00:00 +0000"
| table search
Which returns current date at midnight UTC. Perfect start.
If we now parse that string to an epoch timestamp using strptime:
| makeresults
| eval search=strftime(now(), "%Y-%m-%d") + " 00:00:00 +0000"
| eval search=strptime(search, "%Y-%m-%d %H:%M:%S %z")
| table search
We have a timestamp:
Which trusty https://epochconverter.com shows that this is a successful translation to UTC midnight:
1728950400.000000
Now, to use this for the time modifiers in a search, we wrap this search in square brackets making a subsearch. This subsearch will run first and because we are before the first pipe and the returned field is called “search”, Splunk will use the returned value with the earliest=
index=indexname latest=now() earliest=[| makeresults | eval search=strftime(now(), "%Y-%m-%d") + " 00:00:00 +0000" | eval search=strptime(search, "%Y-%m-%d %H:%M:%S %z") | table search ]
<<... REST OF SEARCH>>
When this search runs, you can see under the search bar that the search has returned events from 20:00 yesterday to now which (since i am in EST and the time in UTC off by 4 hours from my local time, this has successfully met our criteria.
I hope you had as much fun with this SPL problem as I did. Thanks for reading!!
Looking to expedite your success with Splunk? Click here to view our Professional Service offerings.
© Discovered Intelligence Inc., 2024. Unauthorized use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.