Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with strftime, strptime used in token eval and microseconds

damienschmitt
Explorer
‎04-12-2020 04:41 PM

Hi,

I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseconds).

I used this code to change the format according to earliest and latest :

<input type="text" token="earliest">
      <label>earliest</label>
      <change>
        <eval token="earliest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
      </change>
    </input>
    <input type="text" token="latest">
      <label>latest</label>
      <change>
        <eval token="latest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
      </change>
    </input>

I tried to use %3Q %Q %6N %3N, nothing works. The best result is using %3N, the function works but the result is wrong (milliseconds are missing after conversion):

2020-04-12 21:34:41.268 => 2020-04-12 21:34:41.000

Any idea to solve this issue ?

After solving this issue, I will need to solve another problem: Splunk is unable to search on same date/time. How to limit my search to a single microsecond ? If there is no other option, how can I add one microsecond to latest ?

0 Karma
Reply

Scrutch
New Member
‎04-14-2020 03:17 AM

Have you tried using directly epoch format in your form? To strptime/strftime may truncate your timestamp.
Then you can add a microsecond to it simply with a sum ($value$+0.001) and it should work.

To directly use epoch, you must do a |eval var=_time and use var. Because the _time field is modified to be readable when the field is printed on screen

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2020 05:43 AM

Splunk event timestamps have 1-second resolution. One cannot search time periods smaller than a second.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

damienschmitt
Explorer
‎04-13-2020 08:53 AM

After some tests, I am able to search by milliseconds intervals

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2020 10:02 AM

Please share how you did that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

damienschmitt
Explorer
‎04-13-2020 12:09 PM

I used two tokens with this format for earliest and latest: 2020-04-12T21:34:41.611+00:00

        <search>
          <query>index=$index$</query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
        </search>
0 Karma
Reply

to4kawa
Ultra Champion
‎04-13-2020 02:23 AM

why don't you use epoch with token, and change to string in query?

0 Karma
Reply

damienschmitt
Explorer
‎04-13-2020 08:49 AM

I tried with epoch (sending _time from the table in the previous view) but I am unable to add one more milliseconds to latest.

    <input type="text" token="earliest">
      <label>earliest</label>
    </input>
    <input type="text" token="latest">
      <label>latest</label>
      <change>
        <eval token="latest">$value$</eval> <= don't know how to add one more millisecond here
      </change>
    </input>

The query result with

Invalid latest_time: latest_time must
be after earliest_time

.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top