Solved: Convert Time Picker values in readable format..?

vinothn · ‎03-08-2020

Based on the time picker & time modifier token i am displaying the time values in a human readable format in a label.

For this command i am getting the proper results.

| makeresults
| eval latest1="1583038799.000",earliest1="1567310400.000"
| eval latest2=strftime(latest1,"%Y-%m-%d %H:%M:%S"),earliest2=strftime(earliest1,"%Y-%m-%d %H:%M:%S")

But if i try it in time modifier i am not getting the same result i am not sure it is because of time zone ..?

![<search>
    <query>
      |makeresults 
| addinfo
    </query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
    <done>
      <eval token="Tearliest">strftime($result.info_min_time$,"%Y-%m-%d %H:%M:%S")</eval>
      <eval token="Tlatest">strftime($result.info_max_time$,"%Y-%m-%d %H:%M:%S")</eval>
    </done>
  </search>][2]

Both the places i am using the same code getting different results. any thoughts..
Thanks in advance....

manjunathmeti · ‎03-08-2020

Hi @vinothn,

There is an exception while using eval expression with function strftime() to define token filtering for dashboards. It uses client (browser) time zone. It will be better if you convert epoch to date time string search query itself then set fields to token.

![<search>
     <query>
       |makeresults 
       | addinfo | eval info_min_datetime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S %Z"), info_max_datetime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S %Z")
     </query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
     <done>
       <set token="Tearliest">$result.info_min_datetime$</set>
       <set token="Tlatest">$result.info_max_datetime$</set>
     </done>
   </search>][2]

View solution in original post

vinothn · ‎03-09-2020

Thank you @manjunathmeti the above answer is working.
Still since my splunk instance is running on EST it is showing time stamp values in EST zone, but the users are from different zone is there any way to show the timestamp based on the user location.

manjunathmeti · ‎03-09-2020

hi @vinothn,

You can eval expression like one in your question only.

![<search>
     <query>
       |makeresults 
 | addinfo
     </query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
     <done>
       <eval token="Tearliest">strftime($result.info_min_time$,"%Y-%m-%d %H:%M:%S %z")</eval>
       <eval token="Tlatest">strftime($result.info_max_time$,"%Y-%m-%d %H:%M:%S %z")</eval>
     </done>
   </search>][2]

manjunathmeti · ‎03-08-2020

Hi @vinothn,

There is an exception while using eval expression with function strftime() to define token filtering for dashboards. It uses client (browser) time zone. It will be better if you convert epoch to date time string search query itself then set fields to token.

![<search>
     <query>
       |makeresults 
       | addinfo | eval info_min_datetime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S %Z"), info_max_datetime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S %Z")
     </query>
     <earliest>$field1.earliest$</earliest>
     <latest>$field1.latest$</latest>
     <done>
       <set token="Tearliest">$result.info_min_datetime$</set>
       <set token="Tlatest">$result.info_max_datetime$</set>
     </done>
   </search>][2]

Convert Time Picker values in readable format..?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation