UTC 转北京时间
index=o365
| spath input=AuditData
| eval time=strftime(strptime(CreationDate,"%m/%d/%Y %I:%M:%S %p")+28800,"%Y-%m-%d %H:%M:%S")
| table CreationDate time
UTC 转北京时间
index=o365
| spath input=AuditData
| eval time=strftime(strptime(CreationDate,"%m/%d/%Y %I:%M:%S %p")+28800,"%Y-%m-%d %H:%M:%S")
| table CreationDate time