Splunk Search

Issue with eval in Dashboard XML Source

MERBAG
Explorer

Hey all,

Cause of the Y2K bug we recently did an upgrade of our Splunk environment to version 8.0.1 - after this upgrade we do face a strange issue, which does not make any sense for us and maybe looks like a bug or something, let me explain what we have. In one of our Dashboards we do create several timestamps using the eval method, here the code:

<eval token="STARTFROMDISPLAY">mvindex(split($click.value$,"-"),0)</eval> 
<eval token="STARTFROMMACHINE">strptime($STARTFROMDISPLAY$, "%d.%m.%Y %H:%M")</eval> 
<eval token="STARTFROMADMACHINE">relative_time($STARTFROMMACHINE$, "-0d@d")</eval> 
<eval token="ENDATADMACHINE">relative_time($STARTFROMMACHINE$, "+1d@d")</eval>

After those did run, the variables do have the following values:

  • STARTFROMDISPLAY: 07.01.2020 09:52
  • STARTFROMMACHINE: 1578387120 (07.01.2020 09:52)
  • STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00)
  • ENDATADMACHINE: 1577833200 (01.01.2020 00:00)

So far so good, this is where the issue starts, if you convert these timestamps to actual dates (see above) everything is fine, except for ENDATADMACHINE this is for some reason poiting to the last years end, instead to 08.01.2020 00:00 which it should and would be correct.

To make sure there is no error in the code, we did create a small and simple search (not in XML) to reproduce:

index=dhcp 
| eval STARTFROMMACHINE = strptime("07.01.2020 09:52", "%d.%m.%Y %H:%M") 
| eval STARTFROMADMACHINE = relative_time(STARTFROMMACHINE, "-0d@d")
| eval ENDATADMACHINE = relative_time(STARTFROMMACHINE, "+1d@d")
| table STARTFROMMACHINE, STARTFROMADMACHINE, ENDATADMACHINE

The output values of this search do look like this:

  • STARTFROMMACHINE: 1578387120 (07.01.2020 09:52)
  • STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00)
  • ENDATADMACHINE: 1578438000 (08.01.2020 00:00)

So to summarize the issue in one sentence: The relative_time(sometimestring, "+1d@d" does not work while using eval in the XML, but it does work if used within a search.
Does anyone have an idea what is going on here? Please let me know if you need any additional information.

Thanks.

0 Karma

MERBAG
Explorer

@niketnilay Thanks a lot for your reply. Not sure if you understood my issue correctly, since what you sent here is more like a workaround than a solution to our issue.

Therefore a quick update from my site - the issue is only happening when the dashboard needs to display something from the current day, so it looks like there is a bug or something to modify the date to a date in the future in the Dashboard XML - in the normal search everything is still working normal, also this was working before we did the update to 8.0.1

0 Karma

niketn
Legend

@MERBAG it is not workaround it is the possible solution based on expected behavior or <eval> to set token in Simple XML using relative_time(). Have you tried changing the Logged in User's timezone to GMT and whether issue is still observed or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@MERBAG I think this has been called out in the uses of eval to set the token in the dashboard using relative_time: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting

For your use case you can passed the clicked value as a token to an Independent Search which will set the required tokens. Following is an example:

    <!-- Independent search to set token for time -->
    <search>
      <query>| makeresults 
  | eval clickedValue="$click.value$"
  | eval STARTFROMMACHINE = strptime(mvindex(split(clickedValue,"-"),0), "%d.%m.%Y %H:%M") 
  | eval STARTFROMADMACHINE = relative_time(STARTFROMMACHINE, "-0d@d") 
  | eval ENDATADMACHINE = relative_time(STARTFROMMACHINE, "+1d@d") 
  | table STARTFROMMACHINE, STARTFROMADMACHINE, ENDATADMACHINE </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
      <done>
        <set token="tokSTARTFROMMACHINE">$result.STARTFROMMACHINE$</set>
        <set token="tokSTARTFROMADMACHINE">$result.STARTFROMADMACHINE$</set>
        <set token="tokENDATADMACHINE">$result.ENDATADMACHINE$</set>
      </done>
    </search>

You can refer to one of my answers on similar lines where I have used Independent Search to set required tokens. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...