Splunk Search

update humar readable Time

AKG1_old1
Builder

Hi, I am passing human readable time using URL to my dashboard and looking to change this time by 1 hr earlier.

Example

Passing Time in URL : 2019-05-09T10:30:00.000+02:00
Expectation :  2019-05-09T09:30:00.000+02:00

I have tried converting it to epoch and subtract 3600. After converted it back to same format. but not working as per expectation.

<search>
    <query>| makeresults count=1 annotate=false </query>
    <done>
      <condition match="match($ALERT_TOKEN$,&quot;true&quot;)">
         <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval>
         <eval token="final_time">strftime($epoch_time$,"%Y-%m-%dT%H:%M:%S.%3f%z")</eval>
      </condition>
    </done>
  </search>

This logic works in search but not in dashboard code. Any suggestion what I am missing here ?

| makeresults 
| eval TIME="2019-05-09T10:30:00.000+02:00" 
| eval TIME1=strptime(TIME,"%Y-%m-%dT%H:%M:%S")-3600 
| eval TIME2=strftime(TIME1,"%Y-%m-%dT%H:%M:%S.%3f%z") 
| table TIME TIME1 TIME2
0 Karma

DavidHourani
Super Champion

Hi @agoyal,

I tried testing around with the token and it seemed to work best when the value sent in the original $url_time$ is in epoch. It would be easier for you to send that vs a human readable date.

If that's not possible then I recommend you first check the value you're getting in the epoch_time token via <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval> by using $epoch_time$ in a dashboard title or as follows |makeresults|eval A=$epoch_time$ this will make troubleshooting way easier for you.

Cheers,
David

0 Karma

AKG1_old1
Builder

Thanks but url_time is generated in alert using $job.earliest_time$ so don't think possible to use epoch.
converting to epoch time is working fine it just converting back to human readable is not working.

0 Karma

DavidHourani
Super Champion

In that case remove the strptime because $job.earliest_time$ is already in epoch. So no need to reconvert it 🙂 make it $url_time$ -3600 😉

0 Karma

AKG1_old1
Builder

no its not in epoch timeformat.

Defined it Email alert
?&host_token=$result.host_token$&form.time_token.earliest=$job.earliestTime$&form.time_token.latest=$job.latestTime$&Log_or_Live_token=Live

Output:
?&host_token=QCST_RSAT_V42&form.time_token.earliest=2019-05-09T10:45:00.000+02:00&form.time_token.latest=2019-05-09T10:55:00.000+02:00&Log_or_Live_token=Live

0 Karma

DavidHourani
Super Champion

Could you please post what you're getting in the tokens as values ? your syntax seems correct

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...