Splunk Enterprise

How to format earliest_time in mstats command

perrinj2
Path Finder

I'm using mstats earliest_time(metric) to find the earliest time for metric. If I use 

 

|mstats prestats=false earliest_time("http_req_duration_value") as "Start Time" where index=au_cpe_common_metrics 

 

it returns a "Start Time" like 1633986822.000000

I want to be able to display this time in human readable format on a dashboard however when I try 

~~~

|mstats prestats=false earliest_time("http_req_duration_value") as "Start Time" where index=au_cpe_common_metrics
| eval STime2=strftime("Start Time", "%d/%m/%Y %H:%M:%S")|table STime2

~~~

I get no results. 

I'd also like to be able to subtract earliest_time from latest_time to get the duration of the event based on other dimensions. 

 I also tried prestats = true but it  returned no Time values in the events.

What format is earliest time in and why can't  I format it or do calculations with the value?

What is happening here? I'm new to operating with metric indexes

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@perrinj2 

You should always use single quotes in eval statements for field names that do not just consist of standard letters or numbers. Also, if the field name starts with a number, you must use single quotes. However, note that the LEFT hand side of the eval statement does not use single quotes, it uses double.

To illustrate

| eval "Start Time" = strftime('Start Time', "%d/%m/%Y %H:%M:%S")

the left hand side uses double quotes, but inside the eval function, it uses single quotes.

Your example is due to the space in the field name 'Start Time'. If you had used StartTime, you would not need single quotes in the eval. 

If you ever have JSON fields in your data, then you will always have to use single quotes when wrapping a field name containing a . (period)

 

View solution in original post

perrinj2
Path Finder

@ITWhisperer 

Thanks. That fixed it.  For others -   Splunk resolves double quoted field names when they are used in a table command but treats them as literals when embedded in commands like stfrtime or when trying to use them in an eval statement. Easy trap to fall into

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@perrinj2 

You should always use single quotes in eval statements for field names that do not just consist of standard letters or numbers. Also, if the field name starts with a number, you must use single quotes. However, note that the LEFT hand side of the eval statement does not use single quotes, it uses double.

To illustrate

| eval "Start Time" = strftime('Start Time', "%d/%m/%Y %H:%M:%S")

the left hand side uses double quotes, but inside the eval function, it uses single quotes.

Your example is due to the space in the field name 'Start Time'. If you had used StartTime, you would not need single quotes in the eval. 

If you ever have JSON fields in your data, then you will always have to use single quotes when wrapping a field name containing a . (period)

 

ITWhisperer
SplunkTrust
SplunkTrust

Try single quotes around the field name

| eval STime2=strftime('Start Time', "%d/%m/%Y %H:%M:%S")|table STime2
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...