I have a query which looks for date and time in a field(Timestamp) which is of format "Wed Jan 01 16:24:28 EST 2020" and does a strptime on it. Next i group events using bucket. This used to give the events by date in format 2019-12-31. But for dates in year 2020 it just returns the year "2020"
|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket _time span=1d
| table Timestamp _time
Am i missing something here and is this how bucket is expected to work
| makeresults
| eval _raw="
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")
It has been aggregated by bin
command.
The display can be changed.
What is returned if you run the search
|eval etime=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket etime span=1d
| table _time Timestamp etime
This is the output i see
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800
When I enter 1577854800 into an epoch time converter I get Wednesday, 1 January 2020 05:00:00 (which is what I'd expect given your timezone offset for EST ie GMT -5:00).
Can you post the results as returned by your original search i.e.
|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket _time span=1d
| table Timestamp _time
Thanks for your input. Can you post this as answer so that i can accept it. Also did u see splunk bin command acting differently for year 2019 and 2020
| makeresults
| eval _raw="
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")
It has been aggregated by bin
command.
The display can be changed.
Thanks for the answer. I will explore this option and see if it fits my query but did you also see splunk bin command acting differently for year 2019 and 2020
I work in Splunk Cloud Version:7.2.6
Also the link talks about year in 2 digits and when year is in epoch format but in this case year is 4 digits and issue is not while ingesting data but rather while applying bucket over this data
Hi,
check out this link please
https://docs.splunk.com/Documentation/Splunk/8.0.1/ReleaseNotes/FixDatetimexml2020
Hi,
This article says
Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.
But in my case year is four digit, so i doubt if this would affect at all