How to drop [UTC] from a column table in KQL

Question

Trying to clean up some columns coming into Sentinel from syslog, and working on changing from UTC to local time.

Here is an example of what I have so far:

print dt=now()
| extend pacific_dt = datetime_utc_to_local(dt, 'US/Pacific')
| extend PacificTime = pacific_dt
| project-away dt

What I would expect is two columns, one named pacific_dt and another named PacificTime. However, when the output is displayed, both column names are appended with [UTC]. Is there a way to remove the [UTC] text that's appended or a workaround to make a new column based on that data but not get the appended text in the column name?

Here's the example code and output. Query & Output

I am not getting UTC. Check this [img](https://i.imgur.com/GHT3v62.png) — Aswin, Jan 19 '23 at 01:50

score 1 · Accepted Answer · answered Jan 19 '23 at 07:47

As of today, all dates in KQL are stored as UTC.
datetime_utc_to_local() add an offset to the datetime, so it appears as a local time zone, however it is still a UTC date, just a different one.
If you now change your client display from UTC to local, you get an additional offset.

Please note the following:

The current UTC value now equals to the previous PST value.
The current PST value has double offset (-8h x 2)

Bottom line - Work with UTC, and let the client do the conversion to a local time zone.

How to drop [UTC] from a column table in KQL

1 Answers1