Splunk Search

Why does my strftime search not work between midnight and 10 am?

rlincoln
New Member

I have this real-time query with a 12 week back fill:

    host="<some host>" OR host="<some other host>" "<some search text to key on>" 
    [ | stats count | eval date_hour=strftime(now(),"%H") | eval date_wday = lower(strftime(now(),"%A")) | fields - count  ]  
    | bucket _time span=1h | stats count by _time

What is happening is every day this query will not return any results after 23:59 and before 10:00 AM. As soon as the time rolls over to 10:00 I can refresh and the search will have the expected results and works correctly for the remainder of the day until midnight.

It seems that there is an issue with strftime(now(),"%H") when the time starts with a 0. I tried changing the %H to %k and %I but neither helps the search work properly before 10 AM.

I can manually type in the hour into the query and get the correct result but using the function the query returns no results.

Does anyone have any thoughts on what I might be doing wrong here? Thanks!

Tags (3)
0 Karma
1 Solution

maciep
Champion

Ok, so looking at some data on my box, date_hour seems to be a single value between midnight at 10am. Meaning at 8am it's an 8, not an 08. If that's the problem your're running into, then maybe just change your subsearch to include the tonumber() function for the date_hour eval

eval date_hour = tonumber(strftime(now(),"%H"))

View solution in original post

0 Karma

gokadroid
Motivator

Since your subsearch query in the [ ] will return values like, ( ( date_hour="currentHour" AND date_wday="Today'sWeekDay" ) ) so chances are it might not work all the time and hence you might see the discrepancy.

Please read here why date_hour and date_* fields aren't advisable to be used:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134
https://answers.splunk.com/answers/59415/stats-by-date-hour-failing-to-return-results.html#comment-6...
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#comment-386449

0 Karma

rlincoln
New Member

While I understand the risk of inconsistency here without a better solution being presented I must move forward with the solution I currently have.

Thank you for your input and I appreciate the time you took to provide me with this information. I will move forward and attempt to devise a solution that does not involve the date_hour and date_wday functions.

0 Karma

maciep
Champion

Ok, so looking at some data on my box, date_hour seems to be a single value between midnight at 10am. Meaning at 8am it's an 8, not an 08. If that's the problem your're running into, then maybe just change your subsearch to include the tonumber() function for the date_hour eval

eval date_hour = tonumber(strftime(now(),"%H"))
0 Karma

rlincoln
New Member

Despite the potential risk of inconsistency this solution did resolve the issue I was having, thank you for help with this!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...