Splunk Search

Time field always gives nanoseconds without format variable

jooi
New Member
`xd_index`_alerts SiteName="*" ServerType="Member"| eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S")." GMT+8","%Y-%m-%dT%H:%M:%S%Z")-_time) | stats latest(_time) AS latest_alert_time latest(Value) AS Value latest(Value2) AS Value2 latest(Severity) AS Severity BY SiteName orig_host AlertName Details |  convert ctime(latest_alert_time) AS latest_alert_time | eval View = case(    like(AlertName, "%Service Critical"), "services_group",    like(AlertName, "CPU %"), "host_proc_detail",    like(AlertName, "Memory %"), "host_mem_detail",    like(AlertName, "Pages/sec%"), "host_mem_detail",    like(AlertName, "Disk%"), "host_disk_detail"    ) |  sort latest_alert_time |Eval Value=round(Value,0) |Eval Value2=round(Value2,0) |table latest_alert_time SiteName AlertName Severity orig_host Details Value Value2 View |  rename latest_alert_time AS "Time" AlertName AS Alert orig_host AS Host SiteName AS Site | sort -Time |

I am using this to find some data, but my "Time" field, also known as latest_alert_time, always returns nanoseconds even though my strptime and strftime eval has no %N or %6N in it. Any idea why?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The convert ctime() command is setting the format implicitly. It has nothing to do with the strptime() and strftime() functions, which are just being used to calculate an offset.

Try...

| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest_alert_time) AS latest_alert_time 

By the way, mathematically this...

| eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S")." GMT+8","%Y-%m-%dT%H:%M:%S%Z")-_time) 

...is the same as this...

| eval _time=strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S")." GMT+8","%Y-%m-%dT%H:%M:%S%Z")

... and is calculating the actual UTC value of _time, assuming that originally the _time was set as GMT+8 (China or Western Australia). Those time zones do not appear to have a daylight savings time adjustment, so the simple and fixed conversion should work fine.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...