Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to build a timechart from a specific field and convert it from UTC to PST?

evanleair
Explorer
‎09-13-2016 12:25 PM

Hello Splunk Masters,

The search query I have built out works great, but due to the amount of requests hitting us, Splunk can get backed up and post a bunch of logs all at once which causes a manufactured spike in my chart.

I would love to work around this by building a timetable off of a custom time field (BeginRequest-UTC) and converting it to PST. This way we're able to see when the requests are hitting our IIS services and accurately monitor when spikes are generated. I also need to be able to break it down by UserAgent as well to determine which user agents are sending successful responses and unsuccessful responses.

The below query is what I'm using to look at successful IIS responses broken down by UserAgent.

sourcetype=iis_logs http_status!=40* http_status!=5* | timechart count by UserAgent

Any help is appreciated!

Thanks,

Evan

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 12:32 PM

Try this
UPDATED

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") |  eval time=time+(10*3600) | bin span=1h time |stats count by time UserAgent | eval time=strftime(time, "%x %X")

*OR*

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") | eval time=time+(10*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(time, "%x %X")

I believe UTC>PST = 10hrs = 3600*10 (please verify)

Reply

evanleair
Explorer
‎09-13-2016 01:01 PM

What type of field would I put in for "USE APPROPRIATE MODIFIERS HERE"? An example value I would get would be: 2016-09-13 19:55:09.503, and when I adjust the query to be:

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "earliest=-15m") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

or

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, " %H:%M:%S") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

I get this error: Error in 'eval' command: The arguments to the 'strptime' function are invalid.

What can be done to get around that?

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 01:07 PM

Try the updated query

0 Karma
Reply

evanleair
Explorer
‎09-13-2016 01:41 PM

I'm running the updated query and am still getting the same error. Any other ideas? Thanks so much in advance!

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 01:43 PM

🙂 The error is in the second eval statement. I have corrected it now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...