I have a dashboard that shows the status of certain logs reporting to Splunk. Within this dashboard, it also shows the last time an event was sent. Most of my log sources reports in 12 character Epoch time but I do have a few that reports in 18 character epoch time. For the ones that report in 18 characters, Splunk thinks that these events are happening in the future. Is there a way to fix this so that Splunk understands the 18 characters?
The source for the dashboard is the following:
| metadata index=* type=sourcetypes | stats max(lastTime) as lastEvent by sourcetype | convert ctime(*Event) | search sourcetype!="*too_small" | search ( **OMITTED** ) | eval LastEventEpoch = lastEvent | eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval nowEpoch=now() | eval diff = nowEpoch - lastEventEpoch| eval diff=if(diff>0, diff, 0) | eval status=case(diff >= 1 AND diff <=1800, "RUNNING", diff > 1801, "DOWN", diff=0, "OFFLINE/EVENT IN THE FUTURE") | sort - status| rename sourcetype AS Sourcetype, lastEvent AS "Last Seen Event", status AS Status | table Sourcetype, "Last Seen Event", Status
Thanks for your help
Try using regex to peel out the first 12 digits of your time. something like this:
| rex field=_time "(?<_time>\d{12})"
Try using regex to peel out the first 12 digits of your time. something like this:
| rex field=_time "(?<_time>\d{12})"
Thanks!!!! This fixed the issue!!!
Instead of
eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S")
You might try
eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval lastEventEpoch_s = strftime(lastEventEpoch, "%s") | eval lastEventEpoch_rnd = round(lastEventEpoch_s/1000)
Then use the new field lastEventEpoch_rnd in your comparison.
In theory, the strptime will convert the string into a time. The strftime will change the time format to epoch. The round will take the time/1000 and basically remove the microseconds.
Thanks for your help. Using regex to peel the first 12 characters did the trick.
Can you post some sample events where you get 18 character epoch timestamp?
Using regex to strip the first 12 characters fixed the issue. Thanks