Solved: Splunk Enterprise Security: Threat Intelligence Au...

bohanlon_splunk · ‎01-20-2016

In Enterprise Security, the Threat Intelligence Audit dashboard is not displaying properly.
The _time and run_duration fields are incorrectly displayed when the user is in +GMT.

This is due to the strptime() conversion in the dashboard's search which looks like this:

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S-%z")

This will work only for -GMT (-%z), but will not work for any user in +GMT.

bohanlon_splunk · ‎01-20-2016

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

bohanlon_splunk · ‎01-20-2016

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

dirkmeeuwsen · ‎01-21-2016

thanks for adding the solution!

Splunk Enterprise Security: Threat Intelligence Audit dashboard is not displaying properly due to strptime() conversion in dashboard search

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?