Deployment Architecture

Bucket behaves differently for year 2020

Balajiraj
Explorer

I have a query which looks for date and time in a field(Timestamp) which is of format "Wed Jan 01 16:24:28 EST 2020" and does a strptime on it. Next i group events using bucket. This used to give the events by date in format 2019-12-31. But for dates in year 2020 it just returns the year "2020"

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket _time span=1d
| table Timestamp _time

Am i missing something here and is this how bucket is expected to work

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

View solution in original post

0 Karma

rhasplunk
New Member

What is returned if you run the search

|eval etime=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket etime span=1d
| table _time Timestamp etime
0 Karma

Balajiraj
Explorer

This is the output i see
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800

0 Karma

rhasplunk
New Member

When I enter 1577854800 into an epoch time converter I get Wednesday, 1 January 2020 05:00:00 (which is what I'd expect given your timezone offset for EST ie GMT -5:00).

Can you post the results as returned by your original search i.e.

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket _time span=1d
| table Timestamp _time
0 Karma

Balajiraj
Explorer

Thanks for your input. Can you post this as answer so that i can accept it. Also did u see splunk bin command acting differently for year 2019 and 2020

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

0 Karma

Balajiraj
Explorer

Thanks for the answer. I will explore this option and see if it fits my query but did you also see splunk bin command acting differently for year 2019 and 2020

0 Karma

Balajiraj
Explorer

I work in Splunk Cloud Version:7.2.6
Also the link talks about year in 2 digits and when year is in epoch format but in this case year is 4 digits and issue is not while ingesting data but rather while applying bucket over this data

0 Karma

carlasteenkamp
Explorer
0 Karma

Balajiraj
Explorer

Hi,

This article says
Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.

But in my case year is four digit, so i doubt if this would affect at all

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...