I have this real-time query with a 12 week back fill:
host="<some host>" OR host="<some other host>" "<some search text to key on>"
[ | stats count | eval date_hour=strftime(now(),"%H") | eval date_wday = lower(strftime(now(),"%A")) | fields - count ]
| bucket _time span=1h | stats count by _time
What is happening is every day this query will not return any results after 23:59 and before 10:00 AM. As soon as the time rolls over to 10:00 I can refresh and the search will have the expected results and works correctly for the remainder of the day until midnight.
It seems that there is an issue with strftime(now(),"%H")
when the time starts with a 0. I tried changing the %H
to %k
and %I
but neither helps the search work properly before 10 AM.
I can manually type in the hour into the query and get the correct result but using the function the query returns no results.
Does anyone have any thoughts on what I might be doing wrong here? Thanks!
Ok, so looking at some data on my box, date_hour seems to be a single value between midnight at 10am. Meaning at 8am it's an 8, not an 08. If that's the problem your're running into, then maybe just change your subsearch to include the tonumber() function for the date_hour eval
eval date_hour = tonumber(strftime(now(),"%H"))
Since your subsearch query in the [ ]
will return values like, ( ( date_hour="currentHour" AND date_wday="Today'sWeekDay" ) )
so chances are it might not work all the time and hence you might see the discrepancy.
Please read here why date_hour
and date_*
fields aren't advisable to be used:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134
https://answers.splunk.com/answers/59415/stats-by-date-hour-failing-to-return-results.html#comment-6...
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#comment-386449
While I understand the risk of inconsistency here without a better solution being presented I must move forward with the solution I currently have.
Thank you for your input and I appreciate the time you took to provide me with this information. I will move forward and attempt to devise a solution that does not involve the date_hour and date_wday functions.
Ok, so looking at some data on my box, date_hour seems to be a single value between midnight at 10am. Meaning at 8am it's an 8, not an 08. If that's the problem your're running into, then maybe just change your subsearch to include the tonumber() function for the date_hour eval
eval date_hour = tonumber(strftime(now(),"%H"))
Despite the potential risk of inconsistency this solution did resolve the issue I was having, thank you for help with this!