topic Re: update humar readable Time in Splunk Search

update humar readable Time

AKG1_old1 — Thu, 09 May 2019 10:41:38 GMT

Hi, I am passing human readable time using URL to my dashboard and looking to change this time by 1 hr earlier.

Example

Passing Time in URL : 2019-05-09T10:30:00.000+02:00
Expectation :  2019-05-09T09:30:00.000+02:00

I have tried converting it to epoch and subtract 3600. After converted it back to same format. but not working as per expectation.

<search>
    <query>| makeresults count=1 annotate=false </query>
    <done>
      <condition match="match($ALERT_TOKEN$,&quot;true&quot;)">
         <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval>
         <eval token="final_time">strftime($epoch_time$,"%Y-%m-%dT%H:%M:%S.%3f%z")</eval>
      </condition>
    </done>
  </search>

This logic works in search but not in dashboard code. Any suggestion what I am missing here ?

| makeresults 
| eval TIME="2019-05-09T10:30:00.000+02:00" 
| eval TIME1=strptime(TIME,"%Y-%m-%dT%H:%M:%S")-3600 
| eval TIME2=strftime(TIME1,"%Y-%m-%dT%H:%M:%S.%3f%z") 
| table TIME TIME1 TIME2

Re: update humar readable Time

DavidHourani — Thu, 09 May 2019 12:00:54 GMT

Could you please post what you're getting in the tokens as values ? your syntax seems correct

Re: update humar readable Time

DavidHourani — Thu, 09 May 2019 12:25:12 GMT

Hi @agoyal,

I tried testing around with the token and it seemed to work best when the value sent in the original $url_time$ is in epoch. It would be easier for you to send that vs a human readable date.

If that's not possible then I recommend you first check the value you're getting in the epoch_time token via <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval> by using $epoch_time$ in a dashboard title or as follows |makeresults|eval A=$epoch_time$ this will make troubleshooting way easier for you.

Cheers,
David

Re: update humar readable Time

AKG1_old1 — Wed, 30 Sep 2020 00:28:35 GMT

Thanks but url_time is generated in alert using $job.earliest_time$ so don't think possible to use epoch.
converting to epoch time is working fine it just converting back to human readable is not working.

Re: update humar readable Time

DavidHourani — Wed, 30 Sep 2020 00:27:35 GMT

In that case remove the strptime because $job.earliest_time$ is already in epoch. So no need to reconvert it 🙂 make it $url_time$ -3600 😉

Re: update humar readable Time

AKG1_old1 — Wed, 30 Sep 2020 00:28:41 GMT

no its not in epoch timeformat.

Defined it Email alert
?&host_token=$result.host_token$&form.time_token.earliest=$job.earliestTime$&form.time_token.latest=$job.latestTime$&Log_or_Live_token=Live

Output:
?&host_token=QCST_RSAT_V42&form.time_token.earliest=2019-05-09T10:45:00.000+02:00&form.time_token.latest=2019-05-09T10:55:00.000+02:00&Log_or_Live_token=Live