Splunk Search

How to build a timechart from a specific field and convert it from UTC to PST?

evanleair
Explorer

Hello Splunk Masters,

The search query I have built out works great, but due to the amount of requests hitting us, Splunk can get backed up and post a bunch of logs all at once which causes a manufactured spike in my chart.

I would love to work around this by building a timetable off of a custom time field (BeginRequest-UTC) and converting it to PST. This way we're able to see when the requests are hitting our IIS services and accurately monitor when spikes are generated. I also need to be able to break it down by UserAgent as well to determine which user agents are sending successful responses and unsuccessful responses.

The below query is what I'm using to look at successful IIS responses broken down by UserAgent.

sourcetype=iis_logs http_status!=40* http_status!=5* | timechart count by UserAgent 

Any help is appreciated!

Thanks,

Evan

0 Karma

sundareshr
Legend

Try this
UPDATED

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") |  eval time=time+(10*3600) | bin span=1h time |stats count by time UserAgent | eval time=strftime(time, "%x %X")

*OR*

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") | eval time=time+(10*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(time, "%x %X")

I believe UTC>PST = 10hrs = 3600*10 (please verify)

evanleair
Explorer

What type of field would I put in for "USE APPROPRIATE MODIFIERS HERE"? An example value I would get would be: 2016-09-13 19:55:09.503, and when I adjust the query to be:

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "earliest=-15m") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

or

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, " %H:%M:%S") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

I get this error: Error in 'eval' command: The arguments to the 'strptime' function are invalid.

What can be done to get around that?

0 Karma

sundareshr
Legend

Try the updated query

0 Karma

evanleair
Explorer

I'm running the updated query and am still getting the same error. Any other ideas? Thanks so much in advance!

0 Karma

sundareshr
Legend

🙂 The error is in the second eval statement. I have corrected it now.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...