Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why strftime with %Z work differently between query and eval + token

ralzate
Explorer
‎11-10-2017 07:17 AM

Hello

In my dashboard, i saw a strange things with Timezone printing. In fact i have to make time conversion and show detail for a specific usage. I want to show date in a specific timezone (which could change dynamically).

If I make calculation in query i have what i want.
If I make calculation in token the result is not good.

<dashboard>
  <label>timeComponent</label>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults
|eval out_time=strftime(time(),"%Z %z")
|table out_time
</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="fromSearch">$result.out_time$</set>
            <eval token="fromEval">strftime(time(),"%Z %z")</eval>
          </done>
        </search>
      </table>![alt text][1]         
    </panel>
  </row>
   <row>
    <panel>
      <html> 
        <table border="0" cellpadding="12" cellspacing="0">
          <tr>
            <td>Value in Search</td>
            <td>[$fromSearch$]</td>
          </tr>
          <tr>
            <td>Value in eval</td>
            <td>[$fromEval$]</td>
          </tr>
        </table>  
      </html>
    </panel>
  </row>
</dashboard>

Why the %Z is not working in the Eval ?
My question is : Is it normal to have different results ?
I have to make some time transformation and i wouldn't use fake (transformation using an other query, ...) just for changing timezone.

Any idea ?

Thanks
Régis Alzaté

Tags (2)
Preview file
6 KB
Reply
1 Solution
Solved! Jump to solution
Solution

ralzate
Explorer
‎03-27-2018 02:05 AM

The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.

And in my query i add the final transformation

| eval _time = _time * 2  - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))

If it can help someone else.

Regards
Régis

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ralzate
Explorer
‎03-27-2018 02:05 AM

The only solution that i found was to use "query" part in order to make timezone transformation.
I converted data source in epoch time (in the source) and added a new column with local timezone string (like Europe/Paris, EST5EDT,...). The user timezone parameter have to set to UTC.

And in my query i add the final transformation

| eval _time = _time * 2  - ( strptime(strftime(_time,"%d/%m/%Y %H:%M:%S") . " $token_timezone$","%d/%m/%Y %H:%M:%S %Z"))

If it can help someone else.

Regards
Régis

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-10-2017 08:20 AM

I think I read that the eval tag in dashboards has some limitation/changes as compared to eval in search command. See this: http://docs.splunk.com/Documentation/Splunk/6.3.10/Viz/tokens#Define_token_filtering_and_formatting

It's NOT listed explicitly that %Z is not supported in dashboard-xml-eval, but seems like it.

0 Karma
Reply
Solved! Jump to solution

ralzate
Explorer
‎11-10-2017 08:44 AM

hi and thanks somesoni2

This doc mentions "different behavior" for strftime. (personally, i see this behavior as a bug)
I'm agree with you, but if we have to develop a huge trick just to convert timezone, i found that not user friendly.

I think i have no other choose that implement a dummy query or other trick to do it.

Regards
Régis

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-11-2017 09:46 AM

@ralzate, I think %Z, does not play well with eval based token. So if you have have valid Splunk Entitlement you should create a BUG Request (Tag Bug to this question as well).

Meanwhile as you have said,
1) Use %zfor Timezone in eval and then convert the same to %Z in your actual search or
2) Have a dummy search to over come this situation

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ralzate
Explorer
‎11-12-2017 11:07 PM

Hello,

Use %z is not good for me because i need timezone with daylight saving time, in this case i have to search the good correspondence (not easy to do).

I can do the second solution temporary until i have a better solution.

I will raise a bug request.

Thanks all

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...