Solved: Why do some entries (of type search) have api_et, ...

jason0 · ‎06-22-2022

Hello,

I am digging through my _audit index to see what searches people are running over time, but I am confused by the following fields.

api_et , api_It
apiStartTime, apiEndTime

It would appear that api_et and apiEndTime are the same thing. same with api_lt, and api_StartTime. I get that api_(el)t are epoch times, and the others are formatted dates.

Why do some entries (of type search) have api_et, api_lt, and others have apiStartTime,apiEndTime? Thus far I have to do any calculations based on the presence of both sets and use coalesce to choose between the one that's not bogus.

--jason

gcusello · ‎06-22-2022

Hi @jason0,

I don't know why there's this behaviour, this i a question for Splunk Project Team, but anyway, you already identified the solution: use coalesce to be sure to have a value for calculations.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-22-2022

Hi @jason0,

I don't know why there's this behaviour, this i a question for Splunk Project Team, but anyway, you already identified the solution: use coalesce to be sure to have a value for calculations.

Ciao.

Giuseppe

gcusello · ‎06-24-2022

Hi @jason0

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

jason0 · ‎06-24-2022

Thanks Guiseppe, I appreciate your response. It helps me a lot!

--jason

Why do some entries (of type search) have api_et, api_lt, and others have apiStartTime,apiEndTime?

fields

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel