I am little confused, as i have some events ingesting from .csv file in splunk from different different timezones china, pacific, eastern, europe etc... I have fields like start time, end time, TimeZone, TimeZoneID, sitename, conferenceID & hostname.....etc
for your info(conferenceID=131146947830496273, 130855971227450408......) was wondering if i have to do a ".......|stats count of conferenceID" for particular time interval(ex., 12:00 pm to 15:00 pm today ) by sitting on pacific timezone, using the start time and end time from the events search should collect all events sorting from there originating timezones time interval but not the taking splunk timezone time interval.
below are some samples of logs which I have
testincsso,130878564690050083, Shona,"GMT-07:00, Pacific (San Francisco)",4,06/17/2019 09:33:17,06/17/2019 09:42:23,10,0,0,0,0,0,0,9,0,0,1,0,0,1,1 host = usloghost1.example.com sourcetype =webex_cdr 6/17/19 12:29:03.060 AM
testincsso,129392485072911500,Meng,"GMT+08:00, China (Beijing)",45,06/17/2019 07:29:03,06/17/2019 07:59:22,31,0,0,0,0,0,0,0,0,30,1,1,0,0,1 host = usloghost1.corp.example.com sourcetype = webex_cdr 6/17/19 12:19:11.060 AM
testincsso,131121310031953680,sarah ward,"GMT-07:00, Pacific (San Francisco)",4,06/17/2019 07:19:11,06/17/2019 07:52:54,34,0,0,0,0,0,0,0,0,34,3,3,0,0,2 host = usloghost1.corp.example.com sourcetype = webex_cdr 6/17/19 12:00:53.060 AM
testincsso,130878909569842780,Patrick Janesch,"GMT+02:00, Europe (Amsterdam)",22,06/17/2019 07:00:53,06/17/2019 07:04:50,4,0,0,0,0,0,0,4,0,2,3,2,0,1,2 host = usloghost1.corp.example.com sourcetype = webex_cdr
update:
there is 2 fields in the events start time and end time for every conference it held in there local timezone(event originating TZ). also _time refers the splunk time which I don't need in this case. what I need is there is date_hour, date_minutes, date_seconds...etc which shows events local timezone time(china, europe, asia...etc). so when i sit here pacific TZ and try searching for index=test "testincsso" | stats count(conferenceID) by _time taking timeinterval last 4 hours then the output should display the count of Cenferences by taking the count from all events by comparing with there local TZ's time for last 4 hours. so do I need to use "| eval hour = strftime(_time,"%H")" or "| eval mytime=_time | convert timeformat="%H ctime(mytime)" before stats. thanks
-also changing timepicker default behavior may give correct results. I have events with fields "start time" and "end time" from different TZ. so when I try to search events ex., date range "06-16-2019" using time-picker I should get all events by seeing the field "start time" in events not the "_time" of Splunk. I want change my splunk time picker default behavior and gives output by sieng events fields(ex., "start time" & "end time". below the query I changed in source xml.
index=test sourcetype=webex] "testinc" | eval earliest = $toearliest$ | eval latest=if($tolatest$ < 0, now(),$tolatest$) | eval datefield = strptime($Time$, "%m/%d/%Y %H:%M:%S")|stats count(Conference)
