Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

error of calculate in field of Lookup with the use strptime

Carolina
Engager
‎08-02-2018 09:36 AM

Hi,

I have an alert if time is greater that the field end Time.
The time field I extrated it from the log and field ent time I have a lookup. This my search:

index=mf JOBNAME=XEIEKEM1 
| eval et_end=strptime(end_time_lookup,"%k:%M"),et_tiempo=strptime(Time,"%k:%M")
|where et_tiempo>et_end

I try the same with %H:%M
Log:
proceso,start,end,diferencia,tiempo
PRUEBA02,19:10,01:00,05:10,22:50
PRUEBA03,01:00,03:00,02:00,04:00
PRUEBA04,22:00,00:00,03:00,23:00
PRUEBA05,18:00,04:00,10:00,22:30
PRUEBA06,21:00,01:00,05:00,22:00

But sometimes the calculation of times is incorrect. Creating a warning incorrect.
Examples:

Why the command strptime makes the converse incorrect in field end_time_lookup?
PRUEBA06,21:00,01:00,05:00,22:00
end_time_lookup value incorrect: 1533103200.000000 et_tiempo: 1533178800.000000
end_time_lookup value correct: 1533189600.000000

Regards.

0 Karma
Reply

DalJeanis
Legend
‎08-03-2018 07:41 PM

This run-anywhere sample shows exactly what the system is doing with your data. I believe your issue is probably with the limitations of how the system can interpret data which contains an hour and minute, but no day. Each of these is getting correctly extracted, but as if the only date involved is the run date.

| makeresults 
| eval mydata="PRUEBA02,19:10,01:00,05:10,22:50!!!!PRUEBA03,01:00,03:00,02:00,04:00!!!!PRUEBA04,22:00,00:00,03:00,23:00!!!!PRUEBA05,18:00,04:00,10:00,22:30!!!!PRUEBA06,21:00,01:00,05:00,22:00"
| makemv delim="!!!!" mydata 
| mvexpand mydata
| makemv delim="," mydata
| eval test=mvindex(mydata,0)
| eval Time1=mvindex(mydata,1)
| eval Time2=mvindex(mydata,2)
| eval Time3=mvindex(mydata,3)
| eval Time4=mvindex(mydata,4)
| foreach Time* 
    [ eval et_<<FIELD>>=strptime(<<FIELD>>,"%k:%M")
    | eval f_<<FIELD>>=strftime(et_<<FIELD>>,"%Y-%m-%d %H:%M:%S")
    | eval display<<FIELD>> = mvappend(<<FIELD>>,et_<<FIELD>>,f_<<FIELD>>)
    ]
| table test  display*

With these results 

test        displayTime1           displayTime2           displayTime3           displayTime4

PRUEBA02    19:10                  01:00                  05:10                  22:50                  
            1533341400.000000      1533276000.000000      1533291000.000000      1533354600.000000      
            2018-08-03 19:10:00    2018-08-03 01:00:00    2018-08-03 05:10:00    2018-08-03 22:50:00  

PRUEBA03    01:00                  03:00                  02:00                  04:00                  
            1533276000.000000      1533283200.000000      1533279600.000000      1533286800.000000      
            2018-08-03 01:00:00    2018-08-03 03:00:00    2018-08-03 02:00:00    2018-08-03 04:00:00   

PRUEBA04    22:00                  00:00                  03:00                  23:00                  
            1533351600.000000      1533272400.000000      1533283200.000000      1533355200.000000      
            22018-08-03 22:00:00    2018-08-03 00:00:00    2018-08-03 03:00:00    2018-08-03 23:00:00   

PRUEBA05    18:00                  04:00                  10:00                  22:30                  
            1533337200.000000      1533286800.000000      1533308400.000000      1533353400.000000      
            2018-08-03 18:00:00    2018-08-03 04:00:00    2018-08-03 10:00:00    2018-08-03 22:30:00  

PRUEBA06    21:00                  01:00                  05:00                  22:00                  
            1533348000.000000      1533276000.000000      1533290400.000000      1533351600.000000      
            2018-08-03 21:00:00    2018-08-03 01:00:00    2018-08-03 05:00:00    2018-08-03 22:00:00

Without information about what day the hour belongs to, the current date ill be attached, and any such alert will be based on an assumption, which may or may not have any basis in reality.

0 Karma
Reply

somesoni2
Revered Legend
‎08-02-2018 10:23 AM

Try to use time format in strptime function as %H:%M instead of %k:%M.

0 Karma
Reply

Carolina
Engager
‎08-02-2018 10:33 AM

I try with %H%M but it is the same problem

0 Karma
Reply

somesoni2
Revered Legend
‎08-02-2018 10:41 AM

For rows (assuming one with proceso=PRUEBA06) you get wrong end_time_lookup, what are the corresponding human readable values for end_time_lookup and Time (in "%k:%M" format)?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...