Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to build a timechart from a specific field and convert it from UTC to PST?

evanleair
Explorer
‎09-13-2016 12:25 PM

Hello Splunk Masters,

The search query I have built out works great, but due to the amount of requests hitting us, Splunk can get backed up and post a bunch of logs all at once which causes a manufactured spike in my chart.

I would love to work around this by building a timetable off of a custom time field (BeginRequest-UTC) and converting it to PST. This way we're able to see when the requests are hitting our IIS services and accurately monitor when spikes are generated. I also need to be able to break it down by UserAgent as well to determine which user agents are sending successful responses and unsuccessful responses.

The below query is what I'm using to look at successful IIS responses broken down by UserAgent.

sourcetype=iis_logs http_status!=40* http_status!=5* | timechart count by UserAgent

Any help is appreciated!

Thanks,

Evan

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 12:32 PM

Try this
UPDATED

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") |  eval time=time+(10*3600) | bin span=1h time |stats count by time UserAgent | eval time=strftime(time, "%x %X")

*OR*

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "%Y-%m-%d %H:%M:%S.%3N") | eval time=time+(10*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(time, "%x %X")

I believe UTC>PST = 10hrs = 3600*10 (please verify)

Reply

evanleair
Explorer
‎09-13-2016 01:01 PM

What type of field would I put in for "USE APPROPRIATE MODIFIERS HERE"? An example value I would get would be: 2016-09-13 19:55:09.503, and when I adjust the query to be:

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, "earliest=-15m") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

or

sourcetype=iis_logs http_status!=40* http_status!=5* | eval time=strptime(BeginRequest-UTC, " %H:%M:%S") | eval time=time+(7*3600) | bin span=1h time |chart limit=0 count over time by UserAgent | eval time=strftime(%x %X)

I get this error: Error in 'eval' command: The arguments to the 'strptime' function are invalid.

What can be done to get around that?

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 01:07 PM

Try the updated query

0 Karma
Reply

evanleair
Explorer
‎09-13-2016 01:41 PM

I'm running the updated query and am still getting the same error. Any other ideas? Thanks so much in advance!

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 01:43 PM

🙂 The error is in the second eval statement. I have corrected it now.

0 Karma
Reply
Get Updates on the Splunk Community!

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...