Solved: Bucket behaves differently for year 2020

Balajiraj · ‎01-08-2020

I have a query which looks for date and time in a field(Timestamp) which is of format "Wed Jan 01 16:24:28 EST 2020" and does a strptime on it. Next i group events using bucket. This used to give the events by date in format 2019-12-31. But for dates in year 2020 it just returns the year "2020"

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket _time span=1d
| table Timestamp _time

Am i missing something here and is this how bucket is expected to work

to4kawa · ‎01-09-2020

| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

View solution in original post

rhasplunk · ‎01-09-2020

What is returned if you run the search

|eval etime=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket etime span=1d
| table _time Timestamp etime

Balajiraj · ‎01-09-2020

This is the output i see
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800

rhasplunk · ‎01-09-2020

When I enter 1577854800 into an epoch time converter I get Wednesday, 1 January 2020 05:00:00 (which is what I'd expect given your timezone offset for EST ie GMT -5:00).

Can you post the results as returned by your original search i.e.

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket _time span=1d
| table Timestamp _time

Balajiraj · ‎01-09-2020

Thanks for your input. Can you post this as answer so that i can accept it. Also did u see splunk bin command acting differently for year 2019 and 2020

to4kawa · ‎01-09-2020

| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

Balajiraj · ‎01-09-2020

Thanks for the answer. I will explore this option and see if it fits my query but did you also see splunk bin command acting differently for year 2019 and 2020

Balajiraj · ‎01-09-2020

I work in Splunk Cloud Version:7.2.6
Also the link talks about year in 2 digits and when year is in epoch format but in this case year is 4 digits and issue is not while ingesting data but rather while applying bucket over this data

carlasteenkamp · ‎01-08-2020

Hi,
check out this link please
https://docs.splunk.com/Documentation/Splunk/8.0.1/ReleaseNotes/FixDatetimexml2020

Balajiraj · ‎01-09-2020

Hi,

This article says
Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.

But in my case year is four digit, so i doubt if this would affect at all

Bucket behaves differently for year 2020

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor