topic Re: Why strftime with %Z work differently between query and eval + token in Splunk Search

Why strftime with %Z work differently between query and eval + token

ralzate — Fri, 10 Nov 2017 15:17:57 GMT

Hello

In my dashboard, i saw a strange things with Timezone printing. In fact i have to make time conversion and show detail for a specific usage. I want to show date in a specific timezone (which could change dynamically).

If I make calculation in query i have what i want.
If I make calculation in token the result is not good.

<dashboard>
  <label>timeComponent</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
|eval out_time=strftime(time(),"%Z %z")
|table out_time
</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="fromSearch">$result.out_time$</set>
            <eval token="fromEval">strftime(time(),"%Z %z")</eval>
          </done>
        </search>
      </table>![alt text][1]         
    </panel>
  </row>
   <row>
    <panel>
      <html> 
        <table border="0" cellpadding="12" cellspacing="0">
          <tr>
            <td>Value in Search</td>
            <td>[$fromSearch$]</td>
          </tr>
          <tr>
            <td>Value in eval</td>
            <td>[$fromEval$]</td>
          </tr>
        </table>  
      </html>
    </panel>
  </row>
</dashboard>

Why the %Z is not working in the Eval ?
My question is : Is it normal to have different results ?
I have to make some time transformation and i wouldn't use fake (transformation using an other query, ...) just for changing timezone.

Any idea ?

Thanks
Régis Alzaté

Re: Why strftime with %Z work differently between query and eval + token

somesoni2 — Fri, 10 Nov 2017 16:20:44 GMT

I think I read that the eval tag in dashboards has some limitation/changes as compared to eval in search command. See this: http://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/tokens#Define_token_filtering_and_formatting

It's NOT listed explicitly that %Z is not supported in dashboard-xml-eval, but seems like it.

Re: Why strftime with %Z work differently between query and eval + token

ralzate — Fri, 10 Nov 2017 16:44:10 GMT

hi and thanks somesoni2

This doc mentions "different behavior" for strftime. (personally, i see this behavior as a bug)
I'm agree with you, but if we have to develop a huge trick just to convert timezone, i found that not user friendly.

I think i have no other choose that implement a dummy query or other trick to do it.

Regards
Régis

Re: Why strftime with %Z work differently between query and eval + token

niketn — Sat, 11 Nov 2017 17:46:40 GMT

@ralzate, I think %Z, does not play well with eval based token. So if you have have valid Splunk Entitlement you should create a BUG Request (Tag Bug to this question as well).

Meanwhile as you have said,
1) Use %zfor Timezone in eval and then convert the same to %Z in your actual search or
2) Have a dummy search to over come this situation

Re: Why strftime with %Z work differently between query and eval + token

ralzate — Mon, 13 Nov 2017 07:07:04 GMT

Hello,

Use %z is not good for me because i need timezone with daylight saving time, in this case i have to search the good correspondence (not easy to do).

I can do the second solution temporary until i have a better solution.

I will raise a bug request.

Thanks all

Re: Why strftime with %Z work differently between query and eval + token

ralzate — Tue, 27 Mar 2018 09:05:03 GMT

The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.

And in my query i add the final transformation

| eval _time = _time * 2  - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))

If it can help someone else.

Regards
Régis