Dashboards & Visualizations

Issue with strftime, strptime used in token eval and microseconds

damienschmitt
Explorer

Hi,

I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseconds).

I used this code to change the format according to earliest and latest :

<input type="text" token="earliest">
      <label>earliest</label>
      <change>
        <eval token="earliest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
      </change>
    </input>
    <input type="text" token="latest">
      <label>latest</label>
      <change>
        <eval token="latest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
      </change>
    </input>

I tried to use %3Q %Q %6N %3N, nothing works. The best result is using %3N, the function works but the result is wrong (milliseconds are missing after conversion):

2020-04-12 21:34:41.268 => 2020-04-12 21:34:41.000

Any idea to solve this issue ?

After solving this issue, I will need to solve another problem: Splunk is unable to search on same date/time. How to limit my search to a single microsecond ? If there is no other option, how can I add one microsecond to latest ?

0 Karma

Scrutch
New Member

Have you tried using directly epoch format in your form? To strptime/strftime may truncate your timestamp.
Then you can add a microsecond to it simply with a sum ($value$+0.001) and it should work.

To directly use epoch, you must do a |eval var=_time and use var. Because the _time field is modified to be readable when the field is printed on screen

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk event timestamps have 1-second resolution. One cannot search time periods smaller than a second.

---
If this reply helps you, Karma would be appreciated.
0 Karma

damienschmitt
Explorer

After some tests, I am able to search by milliseconds intervals

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share how you did that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

damienschmitt
Explorer

I used two tokens with this format for earliest and latest: 2020-04-12T21:34:41.611+00:00

        <search>
          <query>index=$index$</query>
        <earliest>$earliest$</earliest>
        <latest>$latest$</latest>
        </search>
0 Karma

to4kawa
Ultra Champion

why don't you use epoch with token, and change to string in query?

0 Karma

damienschmitt
Explorer

I tried with epoch (sending _time from the table in the previous view) but I am unable to add one more milliseconds to latest.

    <input type="text" token="earliest">
      <label>earliest</label>
    </input>
    <input type="text" token="latest">
      <label>latest</label>
      <change>
        <eval token="latest">$value$</eval> <= don't know how to add one more millisecond here
      </change>
    </input>

The query result with

Invalid latest_time: latest_time must
be after earliest_time

.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...