Re: Striftime Error or Settings questions

hyungjoon · ‎12-17-2018

For some reason when I have Time as below, and use (| eval SortingTime=strftime(SortingTime, " %H:%M:%S") I always get exactly 1more hour to what I should get.

So if I use | eval SortingTime=strftime(SortingTime, " %H:%M:%S") , I would get 01:23:39 instead of 00:23:39 and same goes for everytime I try to use strftime, I always get an extra hour

I have 2 accounts. one account seems to get the right strftime but the other one always adds an extra hour to strftime. Is there something wrong with my settings???

harsmarvania57 · ‎12-17-2018

Do you have timezone specified for account in which you are getting +1 hour ?

Or try below query

<yourBaseSearch>
| eval SortingTime=tostring(SortingTime, "duration")

hyungjoon · ‎12-17-2018

yes I have timezone specified for both account but they are specified to the same timezone. I don't know why one would give me +1 hour while the other won't. Is there anyway I can fix this?

harsmarvania57 · ‎12-17-2018

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

harsmarvania57 · ‎12-17-2018

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

Striftime Error or Settings questions

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation