- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why strftime with %Z work differently between que...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
In my dashboard, i saw a strange things with Timezone printing. In fact i have to make time conversion and show detail for a specific usage. I want to show date in a specific timezone (which could change dynamically).
If I make calculation in query i have what i want.
If I make calculation in token the result is not good.
<dashboard>
<label>timeComponent</label>
<row>
<panel>
<table>
<search>
<query>|makeresults
|eval out_time=strftime(time(),"%Z %z")
|table out_time
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="fromSearch">$result.out_time$</set>
<eval token="fromEval">strftime(time(),"%Z %z")</eval>
</done>
</search>
</table>![alt text][1]
</panel>
</row>
<row>
<panel>
<html>
<table border="0" cellpadding="12" cellspacing="0">
<tr>
<td>Value in Search</td>
<td>[$fromSearch$]</td>
</tr>
<tr>
<td>Value in eval</td>
<td>[$fromEval$]</td>
</tr>
</table>
</html>
</panel>
</row>
</dashboard>
Why the %Z is not working in the Eval ?
My question is : Is it normal to have different results ?
I have to make some time transformation and i wouldn't use fake (transformation using an other query, ...) just for changing timezone.
Any idea ?
Thanks
Régis Alzaté
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I read that the eval tag in dashboards has some limitation/changes as compared to eval in search command. See this: http://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/tokens#Define_token_filtering_and_formatting
It's NOT listed explicitly that %Z is not supported in dashboard-xml-eval, but seems like it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi and thanks somesoni2
This doc mentions "different behavior" for strftime. (personally, i see this behavior as a bug)
I'm agree with you, but if we have to develop a huge trick just to convert timezone, i found that not user friendly.
I think i have no other choose that implement a dummy query or other trick to do it.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ralzate, I think %Z, does not play well with eval based token. So if you have have valid Splunk Entitlement you should create a BUG Request (Tag Bug to this question as well).
Meanwhile as you have said,
1) Use %zfor Timezone in eval and then convert the same to %Z in your actual search or
2) Have a dummy search to over come this situation
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Use %z is not good for me because i need timezone with daylight saving time, in this case i have to search the good correspondence (not easy to do).
I can do the second solution temporary until i have a better solution.
I will raise a bug request.
Thanks all
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
