FAQ: How do I interpret and format timestamps in a specific timezone?
Last Updated: 2021-09-13
Timestamps are assumed to be UTC, or Universal Time Code, and therefore
timezone independent. If you need to parse a timestamp with an explicit
timezone, for example to identify whether an event occurred on a
specific day within, you can do during querying by using
formattime("%A %d %B %Y, %R", as=fmttime, field=@timestamp, locale=en_US, timezone=PST)
In the above example, "PST" is an alias for "Pacific Standard Time". The locale indicates the language used to expand day and month names, in this case US English which would output:
Wed 08 Sep 2021, 13:43
Changing the timezone to GMT outputs the corresponding UTC value as:
Wed 08 Sep 2021, 20:43
Care should be taken to ensure that the correct or appropriate timezone is used, and that timestamps are correctly defined within the source event.
You can also parse the timestamp during ingestion by changing the parse:
/(?<client>\S+)\s+-\s+(?<userid>\S+)\s+\[(?<@timestamp>.*)\]\s+"((?<method>\S+)\s+(?<url>\S+)?\s+(?<httpversion>\S+)?|-)"\s+(?<statuscode>\d+)\s+(?<responsesize>\S+)\s+"(?<referrer>[^"]*)"\s+"(?<useragent>[^"]*)"\s*(?<responsetime>(\d|\.)+)?/ | parseTimestamp(format="dd/MMM/yyyy:HH:mm:ss Z", timezone="PST", field=@timestamp)