Archive

Splunk Deployment Monitor: Why are emailed reports sending time in epoch format and how do I change this?

Communicator

Splunk App: Deployment Monitor - There are some prebuilt dashboards - ie Indexer Warnings, Forwarder Warnings, SourceType Warnings.

These are very helpful and when you view these dashboards, the time / date looks normal. Right next to the report option are the alert options. When the report is emailed - it sends the time in epoch time. These are built in reports (functions) and I don't have access to the search string - an example is missing sourcetypes - search string within app is dm_missing_sourcetypes

Again, the time is normal on the search string - but the emailed report is epoch time and unusable.

Thanks
John

0 Karma

Builder

Ive tested this out and am able to reproduce.
The search for missing sourcetypes is stored in a macro. Here is the search

`all_sourcetypes_today` | search status="missing" | sort -lastReceived | fields mysourcetype lastReceived bytes status | rename lastReceived as "Last Connected" mysourcetype as "Sourcetype" bytes as "Bytes" status as "Status" | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")

Now it looks like they tried to use this to format the time correctly

| fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")

However as you mentioned its changing it to epoch when the email sends out. Instead they should be using the convert command which will make sure that the time format stays the same in the email.

So a complete search would look like (dont have any dummy data to test with but it should work if the lastReceived field is a epoch timestamp which i believe it is)

`all_sourcetypes_today` | search status="missing" | sort -lastReceived | fields mysourcetype lastReceived bytes status | rename  mysourcetype as "Sourcetype" bytes as "Bytes" status as "Status"  | convert ctime(lastReceived) AS "Last Connected"  | fields - lastReceived

If you have access to look at macros thats where this search is being stored and you can make the changes yourself. Really though this should probably be something that gets fixed in the app.

0 Karma

Communicator

Tried the above string and not working - here is the response from Splunk - which their strings also do not work....

Hard to believe that deployment monitor is legacy and not going to be updated? Why would you dump support for a good app?

Hi John,

This appears to be a known bug in deployment monitor. Unfortunately deployment monitor is now a legacy app that is no longer supported for bug fixes.

What one can do is take a look at the underlying query by clicking on "inspect":

search index="_internal" source="*license_usage.lo*" type!=*Summary | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server source | stats sum(bytes) as bytes max(lastReceived) as lastReceived by mysourcetype | append [search earliest=@d index="_internal" source="*license_usage.lo*" type!=*Summary | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server source | stats sum(bytes) as bytes max(lastReceived) as lastReceived by mysourcetype | rename bytes as bytes_today ] | stats max(bytes) as bytes max(lastReceived) as lastReceived max(bytes_today) as bytes_today by mysourcetype | eval status = if(isnull(bytes) or lastConnected<(lastReceived-900),"missing","active") | search status="missing" | sort -lastReceived | fields mysourcetype lastReceived bytes status | rename lastReceived as "Last Connected" mysourcetype as "Sourcetype" bytes as "Bytes" status as "Status"

You could try to convert the Last Connected field to realtime by adding the following pipe to the end of the above search:

 | convert ctime("Last Connected")

Then save that search query as an alert, and see if the email shows in realtime.

Be aware this is just a sample query that is unsupported. It is just to give you an idea of some workaround options. Also know that the time reported in the email will not conform to users that are of varying timezones. We suggest you experiment and see what works for you. If you have questions about creating your own queries you can post them on answers.splunk.com.

Please let us know if this answers your question.

Regards,
Splunk Support

0 Karma