Getting Data In

Timestamp not showing up as set time input

ips_mandar
Builder

Hi, I am facing a timestamp issue.
I have created one sample dashboard below

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>token=$time_tok.earliest$</title>
      <table>
        <search>
          <query>index=_internal |stats count by host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

and I have selected time range from input->Date and Time Range->Since 26 Jun 2019 08:00
and I have copied it's epoch value from panel title where this value is set.
Then I run below sample search:

| makeresults
| eval time="1561536000.000"
| eval time=strftime(time, "%Y-%m-%d %H:%M:%S.%N%Z")

Please change time value as per dashboard token value from panel title.
Now I was expecting the result to be the same as time input set (i.e. 26 Jun 2019 08:00) but that it's giving a different time...
I tested in Splunk version 7.2 and 7.3 still the same issue...
Is this bug or I am misunderstanding it. Please guide.

0 Karma
1 Solution

niketn
Legend

@ips_mandar, the time from the time picker is changing to your local time zone. UTC to IST.

You would
1) either need to change logged in user time zone to UTC from default or IST. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb

2) convert timezone to UTC using current user's timezone (with SPL and time functions you should be able to do this). For example is %z is +0530 then you need to subtracting 5 hours 30 minutes i.e. 5*60*60 + 30*60=19800 seconds from epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@ips_mandar, the time from the time picker is changing to your local time zone. UTC to IST.

You would
1) either need to change logged in user time zone to UTC from default or IST. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb

2) convert timezone to UTC using current user's timezone (with SPL and time functions you should be able to do this). For example is %z is +0530 then you need to subtracting 5 hours 30 minutes i.e. 5*60*60 + 30*60=19800 seconds from epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ips_mandar
Builder

Thanks @niketnilay
Similarly I was checking in our prod server which is in EDT timezone
and I selected dropdown value 26 June 2019 08:00 and check epoch time which was "1561516200"
then converted time and i see as-
06/25/2019 22:30:00Eastern Daylight Time

But difference between UTC and EDT is 4 hours so if I try to add 4 hours then it will not give 26 June 2019 08:00 ?
So the epoch value got from input time is in which timezone?

To get required results i.e. 26 June 2019, I have to add 9 hours 30 min i.e. 34200 to epoch value

0 Karma

niketn
Legend

@ips_mandar no this does not depend fully on your Splunk Server. If you table date_wday, date_mday, date_hour, date_minute, date_second, then they will be depended on your Splunk Server timezone. But for chart _time is adjusted based on logged in User's Timezone (which may be different from Splunk Server timezone).

So as suggested above try to change the logged in user's timezone from Access Management and see if it help.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ips_mandar
Builder

@amitm05 I made below sample xml where I am selecting by default time and input time it will show as Since 26 Jun 2019 08:00
and I parsed this epoch time using strftime to make it readable format and checking in field-reflectedtime but it shows different time instead of same 26 June 2019 08:00..please see screen shot
alt text

<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>1561536000</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>token=$time_tok.earliest$</title>
      <table>
        <search>
          <query>| makeresults
 | eval reflectedtime=$time_tok.earliest$
 | eval reflectedtime=strftime(reflectedtime, "%Y-%m-%d %H:%M:%S.%N%Z")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

ips_mandar
Builder

@niketnilay any pointers here please.. I really unable to understand ..

0 Karma

amitm05
Builder

@ ips_mandar
Just tested this, the time tiken value is not getting updated in the title tag (as you are trying). But ofcourse its working in earliest and latest tags like below -

<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>

I am guessing, you are only trying to check the value by placing it in title tag but you can be assured that it will work with earliest and latest tags. You can may be compare the results of the searches of dashboard panel with an open search bar query

Hope this helps. Let me know

ips_mandar
Builder

Thanks @amitm05 ..Did you tried exact my xml which I pasted here since in that, token is getting updated in title just retested again...
basically in my actual query I am not trying to use in earliest and latest tag since I want to use earliest epoch value to compare with one field which is other than _time field so I am using epoch value but the problem is if I convert this epoch value I am not getting exact date and time set in time token...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...