Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why strftime with %Z work differently between...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ralzate
Explorer
11-10-2017
07:17 AM
Hello
In my dashboard, i saw a strange things with Timezone printing. In fact i have to make time conversion and show detail for a specific usage. I want to show date in a specific timezone (which could change dynamically).
If I make calculation in query i have what i want.
If I make calculation in token the result is not good.
<dashboard>
<label>timeComponent</label>
<row>
<panel>
<table>
<search>
<query>|makeresults
|eval out_time=strftime(time(),"%Z %z")
|table out_time
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="fromSearch">$result.out_time$</set>
<eval token="fromEval">strftime(time(),"%Z %z")</eval>
</done>
</search>
</table>![alt text][1]
</panel>
</row>
<row>
<panel>
<html>
<table border="0" cellpadding="12" cellspacing="0">
<tr>
<td>Value in Search</td>
<td>[$fromSearch$]</td>
</tr>
<tr>
<td>Value in eval</td>
<td>[$fromEval$]</td>
</tr>
</table>
</html>
</panel>
</row>
</dashboard>
Why the %Z is not working in the Eval ?
My question is : Is it normal to have different results ?
I have to make some time transformation and i wouldn't use fake (transformation using an other query, ...) just for changing timezone.
Any idea ?
Thanks
Régis Alzaté
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ralzate
Explorer
03-27-2018
02:05 AM
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ralzate
Explorer
03-27-2018
02:05 AM
The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.
And in my query i add the final transformation
| eval _time = _time * 2 - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))
If it can help someone else.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-10-2017
08:20 AM
I think I read that the eval tag in dashboards has some limitation/changes as compared to eval in search command. See this: http://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/tokens#Define_token_filtering_and_formatting
It's NOT listed explicitly that %Z is not supported in dashboard-xml-eval, but seems like it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ralzate
Explorer
11-10-2017
08:44 AM
hi and thanks somesoni2
This doc mentions "different behavior" for strftime. (personally, i see this behavior as a bug)
I'm agree with you, but if we have to develop a huge trick just to convert timezone, i found that not user friendly.
I think i have no other choose that implement a dummy query or other trick to do it.
Regards
Régis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
11-11-2017
09:46 AM
@ralzate, I think %Z, does not play well with eval based token. So if you have have valid Splunk Entitlement you should create a BUG Request (Tag Bug to this question as well).
Meanwhile as you have said,
1) Use %zfor Timezone in eval and then convert the same to %Z in your actual search or
2) Have a dummy search to over come this situation
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ralzate
Explorer
11-12-2017
11:07 PM
Hello,
Use %z is not good for me because i need timezone with daylight saving time, in this case i have to search the good correspondence (not easy to do).
I can do the second solution temporary until i have a better solution.
I will raise a bug request.
Thanks all
Get Updates on the Splunk Community!
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
