Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk strptime returning NaN

trever
Loves-to-Learn
‎10-21-2021 11:09 AM

I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why.

On the dashboard im taking the _time and turning it into a human readable string using `strftime(_time, "%m/%d/%Y %H:%M:%S %Z")` and that works great. The problem comes in when I try to convert it back later for making a link to a search.

For example:
```
<eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval>
```

Used to work and return the unix time that I added 30m to, but now `strptime` just returns NaN but this is the right format. I've checked out all the Splunk docs and everything looks right but it still is broke.

Any idea what I could be doing wrong?

Here is the snippet from my field row im making:

```
<condition field="Search">
<eval token="startTimestamp">$row.Timestamp$</eval>
<eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval>
<eval token="corKey">$row.Correlation Key$</eval>
<link target="_blank">search?q=(index=### OR index=###) earliest=$startTimestamp$ latest=$endTimestamp$ correlationKey=$corKey$</link>
</condition>
```

I have taken out everything but the $row.Timestamp$ and that returns something like `10/03/2021 07:41:27 PDT` which is the format that I put into it, I just cant do the reverse. I have copied and pasted the format from the `strftime` and still no luck converting it back so I can do math on it.

Any suggestions?

Labels (2)
Labels
0 Karma
Reply

jhanvidattani
Path Finder
‎10-26-2021 06:23 AM

@trever 

I am not sure why it's not working. But can you try below code:

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="time_token">
      <label></label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Sources</title>
        <search>
          <query>index="_internal" | stats count by source, sourcetype, _time | eval Timestamp = strftime(_time, "%m/%d/%Y %H:%M:%S %Z"), epoch_time = strptime(Timestamp, "%m/%d/%Y %H:%M:%S %Z")</query>
          <earliest>$time_token.earliest$</earliest>
          <latest>$time_token.latest$</latest>
        </search>
        <fields>source, sourcetype,Timestamp</fields>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <eval token="endTimestamp">strftime(relative_time($row.epoch_time$,"+30m"), "%m/%d/%Y %H:%M:%S %Z")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Drilldown Value</title>
        <search>
          <query>|makeresults sample_field=$endTimestamp$</query>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>



If you find my solution/debugging steps useful, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...