Dashboards & Visualizations

addinfo command bug in splunk 7.1.4 version

harishalipaka
Motivator

Hi All,

I have upgraded 6.6.2 version to 7.1.4 splunk Enterprise.
Everthing is good But when am selecting date range am getting wrong epochs related to that time range.info_min_time and info_max_time..

This is in 6.6.2 splunk Enterprise-Here it will give correct results in single right side is results of addinfo query.

selecting date range image in splunk 6.6.2 version

This is the default time for date picker

 <input type="time" token="time1">
      <label>Date &amp; Time Range</label>
      <default>
        <earliest>-1d@d+07h+30m</earliest>
        <latest>-0d@d+07h+30m</latest>
      </default>
    </input>

This is the query for date range selection

|gentimes start=-1 | addinfo |eval begin_filter_date=strftime(info_min_time,"%x %X"), end_filter_date=strftime(info_max_time,"%x %X")

This is 7.1.4 version selection.Here it will give wrong values time 12:30 like
that

date rang selection in splunk 7.1.4 iage

Thanks
Harish
0 Karma

woodcock
Esteemed Legend

This is definitely a divergence in behavior and IMHO a bug (but perhaps splunk will say it is a feature). You *D*E*F*I*N*T*E*L*Y need to open a support case!

0 Karma

mayurr98
Super Champion

Hi I dont know if this is a bug or not:

Try restarting splunk instance or adjusting splunk local time to your timezone.
If this does not help then you can ajust the offset in your query like this :

| gentimes start=-1 
| eval earliest="$time1.earliest$",latest="$time1.latest$" 
| eval earliest=if(earliest="-1d@d+07h+30m",relative_time(now(),"-1d@d+07h+30m"),earliest),latest=if(latest="-0d@d+07h+30m",relative_time(now(),"-0d@d+07h+30m"),latest) 
| eval begin_filter_date=strftime(earliest,"%x %X") 
| eval end_filter_date=strftime(latest,"%x %X") 
| eval results=begin_filter_date+" to "+end_filter_date 
| table results

let me know if this helps!

0 Karma

harishalipaka
Motivator

hi @mayurr98

this is good but am getting correct epochs earliest and latest.
But when am trying to convert readable time ,it will give 12:30

Thanks
Harish
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...