Dashboards & Visualizations
Highlighted

strptime with time zone - eval token drilldown

New Member

When evaluating this token in an "eval" drilldown:
strptime("2000-01-01 +00:00", "%F %:z")
It does not produce any result.

...But, actually, if in a standard search we write:
eval foo = strptime("2000-01-01 +00:00", "%F %:z")
It will produce "946684800" as result, which is the correct epoch we are looking for.

In the end, it looks like the command is properly written but, for some reasons, it cannot work in drilldowns.
Do you know why?

0 Karma
Highlighted

Re: strptime with time zone - eval token drilldown

SplunkTrust
SplunkTrust

@gavalle,

In the dashboard drilldown, its throws an error due to ":" character between % and z. Remove the colon(:) and try strptime("2000-01-01 +00:00", "%F %z") in the eval and it should work. Somehow search bar ignores this while parsing.

Below works for me

<dashboard>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval time="2000-01-01 +00:00"</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <eval token="NEW_TIME">strptime("2000-01-01 +00:00","%F %z")</eval>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <html>
      <h1>$NEW_TIME$ </h1>
    </html>
  </row>
</dashboard>

View solution in original post

0 Karma