Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

error of calculate in field of Lookup with the use strptime

Carolina
Engager
‎08-02-2018 09:36 AM

Hi,

I have an alert if time is greater that the field end Time.
The time field I extrated it from the log and field ent time I have a lookup. This my search:

index=mf JOBNAME=XEIEKEM1 
| eval et_end=strptime(end_time_lookup,"%k:%M"),et_tiempo=strptime(Time,"%k:%M")
|where et_tiempo>et_end

I try the same with %H:%M
Log:
proceso,start,end,diferencia,tiempo
PRUEBA02,19:10,01:00,05:10,22:50
PRUEBA03,01:00,03:00,02:00,04:00
PRUEBA04,22:00,00:00,03:00,23:00
PRUEBA05,18:00,04:00,10:00,22:30
PRUEBA06,21:00,01:00,05:00,22:00

But sometimes the calculation of times is incorrect. Creating a warning incorrect.
Examples:

Why the command strptime makes the converse incorrect in field end_time_lookup?
PRUEBA06,21:00,01:00,05:00,22:00
end_time_lookup value incorrect: 1533103200.000000 et_tiempo: 1533178800.000000
end_time_lookup value correct: 1533189600.000000

Regards.

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎08-03-2018 07:41 PM

This run-anywhere sample shows exactly what the system is doing with your data. I believe your issue is probably with the limitations of how the system can interpret data which contains an hour and minute, but no day. Each of these is getting correctly extracted, but as if the only date involved is the run date.

| makeresults 
| eval mydata="PRUEBA02,19:10,01:00,05:10,22:50!!!!PRUEBA03,01:00,03:00,02:00,04:00!!!!PRUEBA04,22:00,00:00,03:00,23:00!!!!PRUEBA05,18:00,04:00,10:00,22:30!!!!PRUEBA06,21:00,01:00,05:00,22:00"
| makemv delim="!!!!" mydata 
| mvexpand mydata
| makemv delim="," mydata
| eval test=mvindex(mydata,0)
| eval Time1=mvindex(mydata,1)
| eval Time2=mvindex(mydata,2)
| eval Time3=mvindex(mydata,3)
| eval Time4=mvindex(mydata,4)
| foreach Time* 
    [ eval et_<<FIELD>>=strptime(<<FIELD>>,"%k:%M")
    | eval f_<<FIELD>>=strftime(et_<<FIELD>>,"%Y-%m-%d %H:%M:%S")
    | eval display<<FIELD>> = mvappend(<<FIELD>>,et_<<FIELD>>,f_<<FIELD>>)
    ]
| table test  display*

With these results 

test        displayTime1           displayTime2           displayTime3           displayTime4

PRUEBA02    19:10                  01:00                  05:10                  22:50                  
            1533341400.000000      1533276000.000000      1533291000.000000      1533354600.000000      
            2018-08-03 19:10:00    2018-08-03 01:00:00    2018-08-03 05:10:00    2018-08-03 22:50:00  

PRUEBA03    01:00                  03:00                  02:00                  04:00                  
            1533276000.000000      1533283200.000000      1533279600.000000      1533286800.000000      
            2018-08-03 01:00:00    2018-08-03 03:00:00    2018-08-03 02:00:00    2018-08-03 04:00:00   

PRUEBA04    22:00                  00:00                  03:00                  23:00                  
            1533351600.000000      1533272400.000000      1533283200.000000      1533355200.000000      
            22018-08-03 22:00:00    2018-08-03 00:00:00    2018-08-03 03:00:00    2018-08-03 23:00:00   

PRUEBA05    18:00                  04:00                  10:00                  22:30                  
            1533337200.000000      1533286800.000000      1533308400.000000      1533353400.000000      
            2018-08-03 18:00:00    2018-08-03 04:00:00    2018-08-03 10:00:00    2018-08-03 22:30:00  

PRUEBA06    21:00                  01:00                  05:00                  22:00                  
            1533348000.000000      1533276000.000000      1533290400.000000      1533351600.000000      
            2018-08-03 21:00:00    2018-08-03 01:00:00    2018-08-03 05:00:00    2018-08-03 22:00:00

Without information about what day the hour belongs to, the current date ill be attached, and any such alert will be based on an assumption, which may or may not have any basis in reality.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎08-02-2018 10:23 AM

Try to use time format in strptime function as %H:%M instead of %k:%M.

0 Karma
Reply

Carolina
Engager
‎08-02-2018 10:33 AM

I try with %H%M but it is the same problem

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎08-02-2018 10:41 AM

For rows (assuming one with proceso=PRUEBA06) you get wrong end_time_lookup, what are the corresponding human readable values for end_time_lookup and Time (in "%k:%M" format)?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...