Splunk Enterprise Security

Splunk Enterprise Security: Threat Intelligence Audit dashboard is not displaying properly due to strptime() conversion in dashboard search

Splunk Employee
Splunk Employee

In Enterprise Security, the Threat Intelligence Audit dashboard is not displaying properly.
The time and runduration fields are incorrectly displayed when the user is in +GMT.

This is due to the strptime() conversion in the dashboard's search which looks like this:

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S-%z") 

This will work only for -GMT (-%z), but will not work for any user in +GMT.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

0 Karma

Explorer

thanks for adding the solution!

0 Karma