Reporting

Different timestamp format output between manual running a search and a scheduled search

apietersen
Contributor

Hi,

I have an issue with running an exactly the same search. he difference is that I first run the search based on YearToDate period (to get some historic infor) and later schedule the same search based on Yesterday period and to append that result to the CSV file. Why does it suddenly use a different time format?

DeBaenst2,"2018-04-23T00:00:00.000+0200",2,21,8615,8594
DeBaenst2,"2018-04-24T00:00:00.000+0200",1,19,8634,8615
DeBaenst2,"2018-04-25T00:00:00.000+0200",1,19,8653,8634
DeBaenst2,"2018-04-26T00:00:00.000+0200",2,21,8674,8653
DeBaenst2,"2018-04-27T00:00:00.000+0200",1,16,8690,8674
DeBaenst2,"2018-04-28T00:00:00.000+0200",2,14,8704,8690
DeBaenst2,1524952800,,"0.5",8705,8704

Does anyone have a suggestion?
regards
Ashley Pietersen

0 Karma
1 Solution

apietersen
Contributor

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

View solution in original post

0 Karma

apietersen
Contributor

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

0 Karma

TISKAR
Builder

Can you try this please:

<your_base_search> | eval _time=strftime(_time,"%Y-%m-%dT%H:%M:%S.%3Q")

apietersen
Contributor

HI TISKAR,

Thanks, I will need to test. It runs everyday. I will let you know asap.

regards
Ashley Pietersen

0 Karma

TISKAR
Builder

Hey, If that work, xan you please up vote my respense or accept my answer to help another person.
Thank's

0 Karma

xpac
SplunkTrust
SplunkTrust

Can you please post your actual search string, please?

0 Karma

apietersen
Contributor

See below:

index=XXX AND MachineID=YYY AND (Tag="Application.MM_PD.scMachineControl_RBS.iCntHourRuntime")

| dedup _time | timechart span=1d@d max(Value) as maxhours min(Value) as minhours

| eval daily_hrs=(maxhours-minhours)/2
| appendcols [search index=XXX AND MachineID=YYY AND Tag=sText AND Value="*error" | dedup _time

| timechart span=4h dc(Value) as err_4h

| timechart span=1d@d sum(err_4h) as err_day ]
| eval MachineID="DeBaenst2" | table MachineID _time err_day daily_hrs maxhours minhours

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...