Installation
Highlighted

After upgrade to 6.6.1, one of my searches is not working as expected?

Motivator

Hi All,

I have used the below search to capture the Splunk service status (Up or Down) via splunkd.log. After an upgrade to the latest version, this search is not working as expected, though we are getting the status update but the datetime field is left blank.

In the older version 6.2.1 we used to get the data in the datetime field. The datetime filed used to display data containing the earliest / latest time stamp of Splunk service status, currently we are not getting it.

Kindly let me know whether we need to modify the below search to fetch the datetime data.

index=_internal host=hp* OR host=vm* sourcetype=splunkd source="/opt/splunk/var/log/splunk/splunkd.log" "loader - Splunkd starting" OR "INFO  ShutdownHandler - Shutting down splunkd" | eval message=if((message="Shutting down splunkd"),"failure","success") | rename message as status |eval Date_Time= readabledate + " " + readabletime | sort host | table host Date_Time status

Thanks in advance.

Labels (2)
Tags (2)
0 Karma
Highlighted

Re: After upgrade to 6.6.1,one of my search query is not working as expected?

Motivator

Hi All, Can any one guide me how to get Date_Time filed by using the above search query.

thanks in advance.

0 Karma
Highlighted

Re: After upgrade to 6.6.1,one of my search query is not working as expected?

Champion

You can get it from _time.

|eval DateTime= readabledate + " " + readabletime

|eval Date
Time=strftime(_time,"%Y/%m/%d %H:%M:%S")

View solution in original post

0 Karma
Highlighted

Re: After upgrade to 6.6.1,one of my search query is not working as expected?

Motivator

thanks Hiroshisatoh its working now, but what is the difference between the two command "readabledate + " " + readabletime" and strftime /_time.

0 Karma