Re: strptime is not returning proper results

Smith_Splunk · ‎04-22-2015

Hi All,

I have a lookup file which contains 2 columns such as "hour (HH:MM)" and "job"

hour          job
---------------------
00:00         job1
01:00         job2
02:00         job3
03:00         job4
04:00         job5
05:00         Job6

i want to map this for every day. when i tried to convert using "strptime" i am getting today's date for current time + 3 hours entries and reaming values are showing previous date.

My query is below and am running at 23/4/2015 00:10:00. My system and splunk sever timezone are same,

|inputlookup jobs.csv | eval _time = strptime(hour, "%H:%M")

Output is,

 hour          job              _time
 ----------------------------------------------------------
 00:00         job1           2015-04-23 00:00:00
 01:00         job2           2015-04-23 01:00:00
 02:00         job3           2015-04-23 02:00:00
 03:00         job4           2015-04-23 03:00:00
 04:00         job5           2015-04-22 04:00:00
 05:00         Job6           2015-04-22 05:00:00

From the above results am able to get proper date (today's date) for first 3 hours from my current time, after that it's showing previous day date ( 2015-04-22 04:00:00).

Can any one please let me know the reason for showing previous day date after 3 hours.

Thanks
Smith.

stephane_cyrill · ‎04-22-2015

HI Smith_Splunk,

The returned result is Ok. Note that your field HOUR gives do not give us informations about THE DAY THE MONTH AND THE YEAR. So because _time is a field reserved and used by splunk, it format can not change. that is wy splunk splunk use the system date to complete the values.

Smith_Splunk · ‎04-24-2015

Thanks Stephane_cyrille,

I agree my hour column is not having proper timezone. But whenever I ran the query its giving proper results for next 3 hours from my current time. So l would like to know how 3 hours getting added.

Thanks,
Smith

hcbomb · ‎04-22-2015

Hi!

Your search to generate this lookup table is precisely what you asked of it:

Give me a table that includes job against Hour:Minute intervals

I don't really understand your use case. Can you specify/clarify for the following:

Why do you need to use _time? That's an internal field and I would suggest using a custom field particularly if you're performing custom time work here.
Why are you trying to extract a proper date from an incomplete timestamp? This is the equivalent of trying to extraction how many millions out of a number that only in the thousands or lower.
Can you use a fuller time stamp to include date?

Addressing the latter question should root out any underlying notions affecting your results here. My guess is that you were running this query before 0400 local time.

We'd need further clarification before providing more/better input.

Smith_Splunk · ‎04-24-2015

Thanks hcbomb for the response.

I was using _time to get the proper date format instead of timestamp and to use in my subsequent queries. May be i was wrong in my approach here.
I was creating time chart overlay for comparing last one week average of the job runs and todays run for every 15 mins.
Not sure how to include the date. Since i was taking last 1 week averages. I modified the query like below, but still I was getting the same results.

|inputlookup job.csv | eval jobtime = strptime(hour, "%H:%M") | eval jobdatetime = strftime(jobtime, "%Y-%m-%d %H:%M:%S")
Yes, I was running at 12:00 AM. But whenever I ran the query its giving proper results for next 3 hours from my current time. I was wondering where the 3 hours difference is coming. I am using local instance with same time zone for user and Splunk server.

Thanks
Smith

strptime is not returning proper results

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases