Hi,
I have an alert if time is greater that the field end Time.
The time field I extrated it from the log and field ent time I have a lookup. This my search:
index=mf JOBNAME=XEIEKEM1
| eval et_end=strptime(end_time_lookup,"%k:%M"),et_tiempo=strptime(Time,"%k:%M")
|where et_tiempo>et_end
I try the same with %H:%M
Log:
proceso,start,end,diferencia,tiempo
PRUEBA02,19:10,01:00,05:10,22:50
PRUEBA03,01:00,03:00,02:00,04:00
PRUEBA04,22:00,00:00,03:00,23:00
PRUEBA05,18:00,04:00,10:00,22:30
PRUEBA06,21:00,01:00,05:00,22:00
But sometimes the calculation of times is incorrect. Creating a warning incorrect.
Examples:
Why the command strptime makes the converse incorrect in field end_time_lookup?
PRUEBA06,21:00,01:00,05:00,22:00
end_time_lookup value incorrect: 1533103200.000000 et_tiempo: 1533178800.000000
end_time_lookup value correct: 1533189600.000000
Regards.
This run-anywhere sample shows exactly what the system is doing with your data. I believe your issue is probably with the limitations of how the system can interpret data which contains an hour and minute, but no day. Each of these is getting correctly extracted, but as if the only date involved is the run date.
| makeresults
| eval mydata="PRUEBA02,19:10,01:00,05:10,22:50!!!!PRUEBA03,01:00,03:00,02:00,04:00!!!!PRUEBA04,22:00,00:00,03:00,23:00!!!!PRUEBA05,18:00,04:00,10:00,22:30!!!!PRUEBA06,21:00,01:00,05:00,22:00"
| makemv delim="!!!!" mydata
| mvexpand mydata
| makemv delim="," mydata
| eval test=mvindex(mydata,0)
| eval Time1=mvindex(mydata,1)
| eval Time2=mvindex(mydata,2)
| eval Time3=mvindex(mydata,3)
| eval Time4=mvindex(mydata,4)
| foreach Time*
[ eval et_<<FIELD>>=strptime(<<FIELD>>,"%k:%M")
| eval f_<<FIELD>>=strftime(et_<<FIELD>>,"%Y-%m-%d %H:%M:%S")
| eval display<<FIELD>> = mvappend(<<FIELD>>,et_<<FIELD>>,f_<<FIELD>>)
]
| table test display*
With these results
test displayTime1 displayTime2 displayTime3 displayTime4
PRUEBA02 19:10 01:00 05:10 22:50
1533341400.000000 1533276000.000000 1533291000.000000 1533354600.000000
2018-08-03 19:10:00 2018-08-03 01:00:00 2018-08-03 05:10:00 2018-08-03 22:50:00
PRUEBA03 01:00 03:00 02:00 04:00
1533276000.000000 1533283200.000000 1533279600.000000 1533286800.000000
2018-08-03 01:00:00 2018-08-03 03:00:00 2018-08-03 02:00:00 2018-08-03 04:00:00
PRUEBA04 22:00 00:00 03:00 23:00
1533351600.000000 1533272400.000000 1533283200.000000 1533355200.000000
22018-08-03 22:00:00 2018-08-03 00:00:00 2018-08-03 03:00:00 2018-08-03 23:00:00
PRUEBA05 18:00 04:00 10:00 22:30
1533337200.000000 1533286800.000000 1533308400.000000 1533353400.000000
2018-08-03 18:00:00 2018-08-03 04:00:00 2018-08-03 10:00:00 2018-08-03 22:30:00
PRUEBA06 21:00 01:00 05:00 22:00
1533348000.000000 1533276000.000000 1533290400.000000 1533351600.000000
2018-08-03 21:00:00 2018-08-03 01:00:00 2018-08-03 05:00:00 2018-08-03 22:00:00
Without information about what day the hour belongs to, the current date ill be attached, and any such alert will be based on an assumption, which may or may not have any basis in reality.
Try to use time format in strptime function as %H:%M
instead of %k:%M
.
I try with %H%M but it is the same problem
For rows (assuming one with proceso=PRUEBA06) you get wrong end_time_lookup, what are the corresponding human readable values for end_time_lookup and Time (in "%k:%M" format)?