Hi, I am facing a timestamp issue.
I have created one sample dashboard below
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="time" token="time_tok" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>token=$time_tok.earliest$</title>
<table>
<search>
<query>index=_internal |stats count by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
and I have selected time range from input->Date and Time Range->Since 26 Jun 2019 08:00
and I have copied it's epoch value from panel title where this value is set.
Then I run below sample search:
| makeresults
| eval time="1561536000.000"
| eval time=strftime(time, "%Y-%m-%d %H:%M:%S.%N%Z")
Please change time value as per dashboard token value from panel title.
Now I was expecting the result to be the same as time input set (i.e. 26 Jun 2019 08:00) but that it's giving a different time...
I tested in Splunk version 7.2 and 7.3 still the same issue...
Is this bug or I am misunderstanding it. Please guide.
@ips_mandar, the time from the time picker is changing to your local time zone. UTC to IST.
You would
1) either need to change logged in user time zone to UTC from default or IST. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb
2) convert timezone to UTC using current user's timezone (with SPL and time functions you should be able to do this). For example is %z is +0530
then you need to subtracting 5 hours 30 minutes
i.e. 5*60*60 + 30*60=19800
seconds from epoch time.
@ips_mandar, the time from the time picker is changing to your local time zone. UTC to IST.
You would
1) either need to change logged in user time zone to UTC from default or IST. Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureuserswithSplunkWeb
2) convert timezone to UTC using current user's timezone (with SPL and time functions you should be able to do this). For example is %z is +0530
then you need to subtracting 5 hours 30 minutes
i.e. 5*60*60 + 30*60=19800
seconds from epoch time.
Thanks @niketnilay
Similarly I was checking in our prod server which is in EDT timezone
and I selected dropdown value 26 June 2019 08:00 and check epoch time which was "1561516200"
then converted time and i see as-
06/25/2019 22:30:00Eastern Daylight Time
But difference between UTC and EDT is 4 hours so if I try to add 4 hours then it will not give 26 June 2019 08:00 ?
So the epoch value got from input time is in which timezone?
To get required results i.e. 26 June 2019, I have to add 9 hours 30 min i.e. 34200 to epoch value
@ips_mandar no this does not depend fully on your Splunk Server. If you table date_wday, date_mday, date_hour, date_minute, date_second
, then they will be depended on your Splunk Server timezone. But for chart _time is adjusted based on logged in User's Timezone (which may be different from Splunk Server timezone).
So as suggested above try to change the logged in user's timezone from Access Management and see if it help.
@amitm05 I made below sample xml where I am selecting by default time and input time it will show as Since 26 Jun 2019 08:00
and I parsed this epoch time using strftime to make it readable format and checking in field-reflectedtime
but it shows different time instead of same 26 June 2019 08:00..please see screen shot
<form>
<label>test</label>
<fieldset submitButton="false">
<input type="time" token="time_tok" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>1561536000</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>token=$time_tok.earliest$</title>
<table>
<search>
<query>| makeresults
| eval reflectedtime=$time_tok.earliest$
| eval reflectedtime=strftime(reflectedtime, "%Y-%m-%d %H:%M:%S.%N%Z")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
@niketnilay any pointers here please.. I really unable to understand ..
@ ips_mandar
Just tested this, the time tiken value is not getting updated in the title tag (as you are trying). But ofcourse its working in earliest and latest tags like below -
<earliest>$time_tok.earliest$</earliest>
<latest>$time_tok.latest$</latest>
I am guessing, you are only trying to check the value by placing it in title tag but you can be assured that it will work with earliest and latest tags. You can may be compare the results of the searches of dashboard panel with an open search bar query
Hope this helps. Let me know
Thanks @amitm05 ..Did you tried exact my xml which I pasted here since in that, token is getting updated in title just retested again...
basically in my actual query I am not trying to use in earliest and latest tag since I want to use earliest epoch value to compare with one field which is other than _time field so I am using epoch value but the problem is if I convert this epoch value I am not getting exact date and time set in time token...