Splunk Search
Highlighted

Why does my strftime search not work between midnight and 10 am?

New Member

I have this real-time query with a 12 week back fill:

    host="<some host>" OR host="<some other host>" "<some search text to key on>" 
    [ | stats count | eval date_hour=strftime(now(),"%H") | eval date_wday = lower(strftime(now(),"%A")) | fields - count  ]  
    | bucket _time span=1h | stats count by _time

What is happening is every day this query will not return any results after 23:59 and before 10:00 AM. As soon as the time rolls over to 10:00 I can refresh and the search will have the expected results and works correctly for the remainder of the day until midnight.

It seems that there is an issue with strftime(now(),"%H") when the time starts with a 0. I tried changing the %H to %k and %I but neither helps the search work properly before 10 AM.

I can manually type in the hour into the query and get the correct result but using the function the query returns no results.

Does anyone have any thoughts on what I might be doing wrong here? Thanks!

Tags (3)
0 Karma
Highlighted

Re: Why does my strftime search not work between midnight and 10 am?

Champion

Ok, so looking at some data on my box, datehour seems to be a single value between midnight at 10am. Meaning at 8am it's an 8, not an 08. If that's the problem your're running into, then maybe just change your subsearch to include the tonumber() function for the datehour eval

eval date_hour = tonumber(strftime(now(),"%H"))

View solution in original post

0 Karma
Highlighted

Re: Why does my strftime search not work between midnight and 10 am?

New Member

Despite the potential risk of inconsistency this solution did resolve the issue I was having, thank you for help with this!

0 Karma
Highlighted

Re: Why does my strftime search not work between midnight and 10 am?

Motivator

Since your subsearch query in the [ ] will return values like, ( ( date_hour="currentHour" AND date_wday="Today'sWeekDay" ) ) so chances are it might not work all the time and hence you might see the discrepancy.

Please read here why date_hour and date_* fields aren't advisable to be used:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134
https://answers.splunk.com/answers/59415/stats-by-date-hour-failing-to-return-results.html#comment-6...
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#comment-386449

0 Karma
Highlighted

Re: Why does my strftime search not work between midnight and 10 am?

New Member

While I understand the risk of inconsistency here without a better solution being presented I must move forward with the solution I currently have.

Thank you for your input and I appreciate the time you took to provide me with this information. I will move forward and attempt to devise a solution that does not involve the datehour and datewday functions.

0 Karma