Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

update humar readable Time

AKG1_old1
Builder
‎05-09-2019 03:41 AM

Hi, I am passing human readable time using URL to my dashboard and looking to change this time by 1 hr earlier.

Example 

Passing Time in URL : 2019-05-09T10:30:00.000+02:00
Expectation :  2019-05-09T09:30:00.000+02:00

I have tried converting it to epoch and subtract 3600. After converted it back to same format. but not working as per expectation.

<search>
    <query>| makeresults count=1 annotate=false </query>
    <done>
      <condition match="match($ALERT_TOKEN$,&quot;true&quot;)">
         <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval>
         <eval token="final_time">strftime($epoch_time$,"%Y-%m-%dT%H:%M:%S.%3f%z")</eval>
      </condition>
    </done>
  </search>

This logic works in search but not in dashboard code. Any suggestion what I am missing here ?

| makeresults 
| eval TIME="2019-05-09T10:30:00.000+02:00" 
| eval TIME1=strptime(TIME,"%Y-%m-%dT%H:%M:%S")-3600 
| eval TIME2=strftime(TIME1,"%Y-%m-%dT%H:%M:%S.%3f%z") 
| table TIME TIME1 TIME2
0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 05:25 AM

Hi @agoyal,

I tried testing around with the token and it seemed to work best when the value sent in the original $url_time$ is in epoch. It would be easier for you to send that vs a human readable date.

If that's not possible then I recommend you first check the value you're getting in the epoch_time token via <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval> by using $epoch_time$ in a dashboard title or as follows |makeresults|eval A=$epoch_time$ this will make troubleshooting way easier for you.

Cheers,
David

0 Karma
Reply

AKG1_old1
Builder
‎05-09-2019 05:49 AM

Thanks but url_time is generated in alert using $job.earliest_time$ so don't think possible to use epoch.
converting to epoch time is working fine it just converting back to human readable is not working.

0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 06:02 AM

In that case remove the strptime because $job.earliest_time$ is already in epoch. So no need to reconvert it 🙂 make it $url_time$ -3600 😉

0 Karma
Reply

AKG1_old1
Builder
‎05-09-2019 06:17 AM

no its not in epoch timeformat.

Defined it Email alert
?&host_token=$result.host_token$&form.time_token.earliest=$job.earliestTime$&form.time_token.latest=$job.latestTime$&Log_or_Live_token=Live

Output:
?&host_token=QCST_RSAT_V42&form.time_token.earliest=2019-05-09T10:45:00.000+02:00&form.time_token.latest=2019-05-09T10:55:00.000+02:00&Log_or_Live_token=Live

0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 05:00 AM

Could you please post what you're getting in the tokens as values ? your syntax seems correct

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...