Deployment Architecture

Bucket behaves differently for year 2020

Balajiraj
Explorer

I have a query which looks for date and time in a field(Timestamp) which is of format "Wed Jan 01 16:24:28 EST 2020" and does a strptime on it. Next i group events using bucket. This used to give the events by date in format 2019-12-31. But for dates in year 2020 it just returns the year "2020"

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y")
|bucket _time span=1d
| table Timestamp _time

Am i missing something here and is this how bucket is expected to work

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

View solution in original post

0 Karma

rhasplunk
New Member

What is returned if you run the search

|eval etime=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket etime span=1d
| table _time Timestamp etime
0 Karma

Balajiraj
Explorer

This is the output i see
_time Timestamp etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800

0 Karma

rhasplunk
New Member

When I enter 1577854800 into an epoch time converter I get Wednesday, 1 January 2020 05:00:00 (which is what I'd expect given your timezone offset for EST ie GMT -5:00).

Can you post the results as returned by your original search i.e.

|eval _time=strptime(Timestamp,"%a %b %d %H:%M:%S %Z %Y") 
|bucket _time span=1d
| table Timestamp _time
0 Karma

Balajiraj
Explorer

Thanks for your input. Can you post this as answer so that i can accept it. Also did u see splunk bin command acting differently for year 2019 and 2020

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="
_time            Timestamp                    etime
2019-12-30 11:00 Wed Jan 01 01:09:29 EST 2020 1577854800
2019-12-30 11:00 Wed Jan 01 00:56:39 EST 2020 1577854800"
| multikv forceheader=1
| eval _time=etime
| bin span=1d etime
| eval etime_check=strftime(etime,"%+")

It has been aggregated by bin command.
The display can be changed.

0 Karma

Balajiraj
Explorer

Thanks for the answer. I will explore this option and see if it fits my query but did you also see splunk bin command acting differently for year 2019 and 2020

0 Karma

Balajiraj
Explorer

I work in Splunk Cloud Version:7.2.6
Also the link talks about year in 2 digits and when year is in epoch format but in this case year is 4 digits and issue is not while ingesting data but rather while applying bucket over this data

0 Karma

carlasteenkamp
Explorer
0 Karma

Balajiraj
Explorer

Hi,

This article says
Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.

But in my case year is four digit, so i doubt if this would affect at all

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...