Change query timezone

leandromatperei · ‎12-10-2019

Hi.

I have the following query in splunk and I need it to look like gmt-3.

index="raw_altitude_or8" "The counter total_idle_inst" | stats count as Erro

The result of this query brings me the following value:

(2019-12-09 10:30:52.271)           (2019-12-09 08:06:09.840)
sql.oci.exe.13472 (trace:0) (calcInstCounter): Error[525] -> The counter total_idle_inst should not be negative, correcting...

However I would like the search to return this field with the date 2019-12-09 07:30:52.271

I know how to do this by changing it directly in props.conf, but for the moment it is not feasible.

I would like to change the time within the query itself.

Is there such a possibility?

to4kawa · ‎12-11-2019

<form hideTitle="false">
  <label>test</label>
  <init>
    <set token="showtab1">first</set>
  </init>
  <fieldset submitButton="true">
    <input type="time" token="time_finder" searchWhenChanged="true">
      <label>Time Picker</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliestTime">if(isstr(earliest), relative_time(now(),earliest),"-0d")</eval>
        <eval token="latestTime">if(isstr(latest), relative_time(now(),latest), "-0d")</eval>
        <eval token="earliestTime1">relative_time(earliestTime,"-7d")</eval>
        <eval token="latestTime1">relative_time(latestTime,"-7d")</eval>
        <eval token="earliestTime2">relative_time(earliestTime,"-14d")</eval>
        <eval token="latestTime2">relative_time(latestTime,"-14d")</eval>
        <eval token="earliestTime3">relative_time(earliestTime,"-21d")</eval>
        <eval token="latestTime3">relative_time(latestTime,"-21d")</eval>
        <eval token="earliestTime4">relative_time(earliestTime,"-28d")</eval>
        <eval token="latestTime4">relative_time(latestTime,"-28d")</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel id="chartPanel3">
      <title>IXN</title>
      <chart>
        <title>chart 3</title>
        <search>
          <query>index=_internal  (earliest=$earliestTime$ latest=$latestTime$) OR (earliest=$earliestTime1$ latest=$latestTime1$) OR (earliest=$earliestTime2$ latest=$latestTime2$) OR (earliest=$earliestTime3$ latest=$latestTime3$) OR (earliest=$earliestTime4$ latest=$latestTime4$)</query>
          <earliest>$time_finder.earliest$</earliest>
          <latest>$time_finder.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
      <chart>
        <title>chart 2</title>
        <search>
          <query>| makeresults count=2 | streamstats count | eval _time=if((count == 2),relative_time('_time',"-12h"),relative_time('_time',"-5s")) | makecontinuous span=1m | eval count=(random() % 2)</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal splunkd</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">none</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">raw</option>
      </event>
    </panel>
  </row>
</form>

It's like this.

to4kawa · ‎12-10-2019

| makeresults
| eval _raw=" (2019-12-09 10:30:52.271)           (2019-12-09 08:06:09.840)
 sql.oci.exe.13472 (trace:0) (calcInstCounter): Error[525] -> The counter total_idle_inst should not be negative, correcting..."
| rex "(?<date>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3})"
| eval _time=relative_time(strptime(date,"%Y-%m-%d %T"),"-3h")

Hi, try and check _time .

 index="raw_altitude_or8" "The counter total_idle_inst"

if _time of the result is UTC,

| eval _time=relative_time(_time,"-3h")

This is OK.

leandromatperei · ‎12-11-2019

Thanks for the answer.

However I had a problem, when searching for the time using earliest and latest, the results do not bring the time period entered by _time, and yes what is inside the event.

I would like to pick up the events between 2 and 3 pm with the _time and not by the event time.

to4kawa · ‎12-11-2019

The value of earliest cannot be changed unless it is made a dashboard.

If you only do search, search and narrow down

leandromatperei · ‎12-11-2019

And what would it be like on a dashboard?

I would like to include this research in the dashboard.

Change query timezone

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?