Installation

After upgrade to 6.6.1, one of my searches is not working as expected?

Hemnaath
Motivator

Hi All, I have used the below query to capture the splunk service status (Up or Down) via splunkd.log. After an upgrade to latest version this query is not working as expected, though we are getting the status update but the date_time field is left blank. In older version 6.2.1 we use to get the data in the date_time field. The date_time filed used to display data containing the earliest / latest time stamp of splunk service status, currently we are not getting it. Kindly let me know whether we need to modify the below query to fetch the date_time data.

index=_internal host=hp* OR host=vm* sourcetype=splunkd source="/opt/splunk/var/log/splunk/splunkd.log" "loader - Splunkd starting" OR "INFO  ShutdownHandler - Shutting down splunkd" | eval message=if((message="Shutting down splunkd"),"failure","success") | rename message as status |eval Date_Time= readabledate + " " + readabletime | sort host | table host Date_Time status

thanks in advance.

Labels (2)
Tags (2)
0 Karma
1 Solution

HiroshiSatoh
Champion

You can get it from _time.

|eval Date_Time= readabledate + " " + readabletime

|eval Date_Time=strftime(_time,"%Y/%m/%d %H:%M:%S")

View solution in original post

0 Karma

HiroshiSatoh
Champion

You can get it from _time.

|eval Date_Time= readabledate + " " + readabletime

|eval Date_Time=strftime(_time,"%Y/%m/%d %H:%M:%S")

0 Karma

Hemnaath
Motivator

thanks Hiroshisatoh its working now, but what is the difference between the two command "readabledate + " " + readabletime" and strftime /_time.

0 Karma

Hemnaath
Motivator

Hi All, Can any one guide me how to get Date_Time filed by using the above search query.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...