Reporting

Different timestamp format output between manual running a search and a scheduled search

apietersen
Communicator

Hi,

I have an issue with running an exactly the same search. he difference is that I first run the search based on YearToDate period (to get some historic infor) and later schedule the same search based on Yesterday period and to append that result to the CSV file. Why does it suddenly use a different time format?

DeBaenst2,"2018-04-23T00:00:00.000+0200",2,21,8615,8594
DeBaenst2,"2018-04-24T00:00:00.000+0200",1,19,8634,8615
DeBaenst2,"2018-04-25T00:00:00.000+0200",1,19,8653,8634
DeBaenst2,"2018-04-26T00:00:00.000+0200",2,21,8674,8653
DeBaenst2,"2018-04-27T00:00:00.000+0200",1,16,8690,8674
DeBaenst2,"2018-04-28T00:00:00.000+0200",2,14,8704,8690
DeBaenst2,1524952800,,"0.5",8705,8704

Does anyone have a suggestion?
regards
Ashley Pietersen

0 Karma
1 Solution

apietersen
Communicator

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

View solution in original post

0 Karma

apietersen
Communicator

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

0 Karma

TISKAR
Builder

Can you try this please:

<your_base_search> | eval _time=strftime(_time,"%Y-%m-%dT%H:%M:%S.%3Q")

apietersen
Communicator

HI TISKAR,

Thanks, I will need to test. It runs everyday. I will let you know asap.

regards
Ashley Pietersen

0 Karma

TISKAR
Builder

Hey, If that work, xan you please up vote my respense or accept my answer to help another person.
Thank's

0 Karma

xpac
SplunkTrust
SplunkTrust

Can you please post your actual search string, please?

0 Karma

apietersen
Communicator

See below:

index=XXX AND MachineID=YYY AND (Tag="Application.MM_PD.scMachineControl_RBS.iCntHourRuntime")

| dedup _time | timechart span=1d@d max(Value) as maxhours min(Value) as minhours

| eval daily_hrs=(maxhours-minhours)/2
| appendcols [search index=XXX AND MachineID=YYY AND Tag=sText AND Value="*error" | dedup _time

| timechart span=4h dc(Value) as err_4h

| timechart span=1d@d sum(err_4h) as err_day ]
| eval MachineID="DeBaenst2" | table MachineID _time err_day daily_hrs maxhours minhours

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...