Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different timestamp format output between manual running a search and a scheduled search

apietersen
Contributor
‎04-30-2018 12:36 AM

Hi,

I have an issue with running an exactly the same search. he difference is that I first run the search based on YearToDate period (to get some historic infor) and later schedule the same search based on Yesterday period and to append that result to the CSV file. Why does it suddenly use a different time format?

DeBaenst2,"2018-04-23T00:00:00.000+0200",2,21,8615,8594
DeBaenst2,"2018-04-24T00:00:00.000+0200",1,19,8634,8615
DeBaenst2,"2018-04-25T00:00:00.000+0200",1,19,8653,8634
DeBaenst2,"2018-04-26T00:00:00.000+0200",2,21,8674,8653
DeBaenst2,"2018-04-27T00:00:00.000+0200",1,16,8690,8674
DeBaenst2,"2018-04-28T00:00:00.000+0200",2,14,8704,8690
DeBaenst2,1524952800,,"0.5",8705,8704

Does anyone have a suggestion?
regards
Ashley Pietersen

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apietersen
Contributor
‎05-01-2018 05:29 AM

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

apietersen
Contributor
‎05-01-2018 05:29 AM

Hi TISKAR,

I have checked it this morning and it looks OK. Although I do not understand why the different outcome. Also zero values are represented as an empty field. (but that was another post) - Many thanks,

regards
Ashley Pietersen

0 Karma
Reply
Solved! Jump to solution

TISKAR
Builder
‎04-30-2018 01:47 AM

Can you try this please:

<your_base_search> | eval _time=strftime(_time,"%Y-%m-%dT%H:%M:%S.%3Q")
Reply
Solved! Jump to solution

apietersen
Contributor
‎04-30-2018 03:23 AM

HI TISKAR,

Thanks, I will need to test. It runs everyday. I will let you know asap.

regards
Ashley Pietersen

0 Karma
Reply
Solved! Jump to solution

TISKAR
Builder
‎05-01-2018 05:46 AM

Hey, If that work, xan you please up vote my respense or accept my answer to help another person.
Thank's

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 01:04 AM

Can you please post your actual search string, please?

0 Karma
Reply
Solved! Jump to solution

apietersen
Contributor
‎04-30-2018 03:19 AM

See below:

index=XXX AND MachineID=YYY AND (Tag="Application.MM_PD.scMachineControl_RBS.iCntHourRuntime")

| dedup _time | timechart span=1d@d max(Value) as maxhours min(Value) as minhours

| eval daily_hrs=(maxhours-minhours)/2
| appendcols [search index=XXX AND MachineID=YYY AND Tag=sText AND Value="*error" | dedup _time

| timechart span=4h dc(Value) as err_4h

| timechart span=1d@d sum(err_4h) as err_day ]
| eval MachineID="DeBaenst2" | table MachineID _time err_day daily_hrs maxhours minhours

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...