Splunk Search

Striftime Error or Settings questions

hyungjoon
New Member

For some reason when I have Time as below, and use (| eval SortingTime=strftime(SortingTime, " %H:%M:%S") I always get exactly 1more hour to what I should get.

alt text

So if I use | eval SortingTime=strftime(SortingTime, " %H:%M:%S") , I would get 01:23:39 instead of 00:23:39 and same goes for everytime I try to use strftime, I always get an extra hour

I have 2 accounts. one account seems to get the right strftime but the other one always adds an extra hour to strftime. Is there something wrong with my settings???

Tags (1)
0 Karma

harsmarvania57
Ultra Champion

Do you have timezone specified for account in which you are getting +1 hour ?

Or try below query

<yourBaseSearch>
| eval SortingTime=tostring(SortingTime, "duration")
0 Karma

hyungjoon
New Member

yes I have timezone specified for both account but they are specified to the same timezone. I don't know why one would give me +1 hour while the other won't. Is there anyway I can fix this?

0 Karma

harsmarvania57
Ultra Champion

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

0 Karma

harsmarvania57
Ultra Champion

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...