When retrieving results from Splunk, I get a _time field with the following value:
2016-08-26 12:50:03.000 GMT Daylight Time
As I'm in the UK and experiencing Daylight savings time, I know that should be a timezone of +01:00, however, I can't find any way to parse the timezone properly.
Splunk claims to use the the TZ Database, however, the string GMT Daylight Time doesn't appear in the linked Wikipedia article.
Can I convince Splunk to use ISO 8601 formatting? Failing that, are the TZ strings splunk uses a standard format that I'm unaware of?
As it stands, it looks like I'm going to have to build and maintain a list of timezones just to parse messages correctly, which seems like a lot of unnecessary effort.
In case it helps, I'm currently using the Arrow library to handle dates, but can use another if required.
As requested in comments:
I'm POSTing the following data:
# self.filename is the path to the file I'm interested in. eg C:\Example.txt
# EventCode 4656 represents an access audit (raised when a file handle is requested)
{'search': 'search index=* EventCode=4656 Object_Name="{0}"| eval tztime = strftime(_time,"%Z") | sort -date'.format(
self.filename.replace('\\', '\\\\')),
'output_mode': 'json'}
To this url:
https://{server}:{port}/servicesNS/admin/search/search/jobs/export
In the event that someone else is stumbling upon this question while having the same issue : you need to specify the parameter "time_format", as mentionned in the documentation here :
https://docs.splunk.com/Documentation/Splunk/9.4.0/RESTREF/RESTsearch#search.2Fjobs.2Fexport
It defaults to %FT%T.%Q%:z.
In your case, if you are looking for an ISO formatting, you need to specify %Y-%m-%dT%H:%M:%S.%Q%:z
The documentation about the various time formats used by Splunk is available here : https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Commontimeformatvariables
Note that this also applies to Splunk Python SDK, where you need to pass the "time_format" field as a kwargs