Splunk Enterprise Security

Splunk Enterprise Security: Threat Intelligence Audit dashboard is not displaying properly due to strptime() conversion in dashboard search

bohanlon_splunk
Splunk Employee
Splunk Employee

In Enterprise Security, the Threat Intelligence Audit dashboard is not displaying properly.
The _time and run_duration fields are incorrectly displayed when the user is in +GMT.

This is due to the strptime() conversion in the dashboard's search which looks like this:

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S-%z") 

This will work only for -GMT (-%z), but will not work for any user in +GMT.

0 Karma
1 Solution

bohanlon_splunk
Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")
0 Karma

dirkmeeuwsen
Explorer

thanks for adding the solution!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...