Dashboards & Visualizations

addinfo command bug in splunk 7.1.4 version

harishalipaka
Motivator

Hi All,

I have upgraded 6.6.2 version to 7.1.4 splunk Enterprise.
Everthing is good But when am selecting date range am getting wrong epochs related to that time range.info_min_time and info_max_time..

This is in 6.6.2 splunk Enterprise-Here it will give correct results in single right side is results of addinfo query.

selecting date range image in splunk 6.6.2 version

This is the default time for date picker

 <input type="time" token="time1">
      <label>Date &amp; Time Range</label>
      <default>
        <earliest>-1d@d+07h+30m</earliest>
        <latest>-0d@d+07h+30m</latest>
      </default>
    </input>

This is the query for date range selection

|gentimes start=-1 | addinfo |eval begin_filter_date=strftime(info_min_time,"%x %X"), end_filter_date=strftime(info_max_time,"%x %X")

This is 7.1.4 version selection.Here it will give wrong values time 12:30 like
that

date rang selection in splunk 7.1.4 iage

Thanks
Harish
0 Karma

woodcock
Esteemed Legend

This is definitely a divergence in behavior and IMHO a bug (but perhaps splunk will say it is a feature). You *D*E*F*I*N*T*E*L*Y need to open a support case!

0 Karma

mayurr98
Super Champion

Hi I dont know if this is a bug or not:

Try restarting splunk instance or adjusting splunk local time to your timezone.
If this does not help then you can ajust the offset in your query like this :

| gentimes start=-1 
| eval earliest="$time1.earliest$",latest="$time1.latest$" 
| eval earliest=if(earliest="-1d@d+07h+30m",relative_time(now(),"-1d@d+07h+30m"),earliest),latest=if(latest="-0d@d+07h+30m",relative_time(now(),"-0d@d+07h+30m"),latest) 
| eval begin_filter_date=strftime(earliest,"%x %X") 
| eval end_filter_date=strftime(latest,"%x %X") 
| eval results=begin_filter_date+" to "+end_filter_date 
| table results

let me know if this helps!

0 Karma

harishalipaka
Motivator

hi @mayurr98

this is good but am getting correct epochs earliest and latest.
But when am trying to convert readable time ,it will give 12:30

Thanks
Harish
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...