Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Striftime Error or Settings questions

hyungjoon
New Member
‎12-17-2018 05:57 AM

For some reason when I have Time as below, and use (| eval SortingTime=strftime(SortingTime, " %H:%M:%S") I always get exactly 1more hour to what I should get.

alt text

So if I use | eval SortingTime=strftime(SortingTime, " %H:%M:%S") , I would get 01:23:39 instead of 00:23:39 and same goes for everytime I try to use strftime, I always get an extra hour

I have 2 accounts. one account seems to get the right strftime but the other one always adds an extra hour to strftime. Is there something wrong with my settings???

Tags (1)
Preview file
5 KB
0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-17-2018 06:05 AM

Do you have timezone specified for account in which you are getting +1 hour ?

Or try below query

<yourBaseSearch>
| eval SortingTime=tostring(SortingTime, "duration")
0 Karma
Reply

hyungjoon
New Member
‎12-17-2018 07:55 AM

yes I have timezone specified for both account but they are specified to the same timezone. I don't know why one would give me +1 hour while the other won't. Is there anyway I can fix this?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-17-2018 08:56 AM

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-17-2018 08:55 AM

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...