Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to format earliest_time in mstats command

perrinj2
Path Finder
‎10-17-2021 09:16 PM

I'm using mstats earliest_time(metric) to find the earliest time for metric. If I use 

 

|mstats prestats=false earliest_time("http_req_duration_value") as "Start Time" where index=au_cpe_common_metrics 

 

it returns a "Start Time" like 1633986822.000000

I want to be able to display this time in human readable format on a dashboard however when I try 

~~~

|mstats prestats=false earliest_time("http_req_duration_value") as "Start Time" where index=au_cpe_common_metrics
| eval STime2=strftime("Start Time", "%d/%m/%Y %H:%M:%S")|table STime2

~~~

I get no results. 

I'd also like to be able to subtract earliest_time from latest_time to get the duration of the event based on other dimensions. 

 I also tried prestats = true but it  returned no Time values in the events.

What format is earliest time in and why can't  I format it or do calculations with the value?

What is happening here? I'm new to operating with metric indexes

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-18-2021 09:23 PM

@perrinj2 

You should always use single quotes in eval statements for field names that do not just consist of standard letters or numbers. Also, if the field name starts with a number, you must use single quotes. However, note that the LEFT hand side of the eval statement does not use single quotes, it uses double.

To illustrate

| eval "Start Time" = strftime('Start Time', "%d/%m/%Y %H:%M:%S")

the left hand side uses double quotes, but inside the eval function, it uses single quotes.

Your example is due to the space in the field name 'Start Time'. If you had used StartTime, you would not need single quotes in the eval. 

If you ever have JSON fields in your data, then you will always have to use single quotes when wrapping a field name containing a . (period)

 

View solution in original post

Reply
Solved! Jump to solution

perrinj2
Path Finder
‎10-18-2021 08:47 PM

@ITWhisperer 

Thanks. That fixed it.  For others -   Splunk resolves double quoted field names when they are used in a table command but treats them as literals when embedded in commands like stfrtime or when trying to use them in an eval statement. Easy trap to fall into

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-18-2021 09:23 PM

@perrinj2 

You should always use single quotes in eval statements for field names that do not just consist of standard letters or numbers. Also, if the field name starts with a number, you must use single quotes. However, note that the LEFT hand side of the eval statement does not use single quotes, it uses double.

To illustrate

| eval "Start Time" = strftime('Start Time', "%d/%m/%Y %H:%M:%S")

the left hand side uses double quotes, but inside the eval function, it uses single quotes.

Your example is due to the space in the field name 'Start Time'. If you had used StartTime, you would not need single quotes in the eval. 

If you ever have JSON fields in your data, then you will always have to use single quotes when wrapping a field name containing a . (period)

 

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 12:41 AM

Try single quotes around the field name

| eval STime2=strftime('Start Time', "%d/%m/%Y %H:%M:%S")|table STime2
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...