- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: update humar readable Time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
update humar readable Time
Hi, I am passing human readable time using URL to my dashboard and looking to change this time by 1 hr earlier.
Example
Passing Time in URL : 2019-05-09T10:30:00.000+02:00
Expectation : 2019-05-09T09:30:00.000+02:00
I have tried converting it to epoch and subtract 3600. After converted it back to same format. but not working as per expectation.
<search>
<query>| makeresults count=1 annotate=false </query>
<done>
<condition match="match($ALERT_TOKEN$,"true")">
<eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval>
<eval token="final_time">strftime($epoch_time$,"%Y-%m-%dT%H:%M:%S.%3f%z")</eval>
</condition>
</done>
</search>
This logic works in search but not in dashboard code. Any suggestion what I am missing here ?
| makeresults
| eval TIME="2019-05-09T10:30:00.000+02:00"
| eval TIME1=strptime(TIME,"%Y-%m-%dT%H:%M:%S")-3600
| eval TIME2=strftime(TIME1,"%Y-%m-%dT%H:%M:%S.%3f%z")
| table TIME TIME1 TIME2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @agoyal,
I tried testing around with the token and it seemed to work best when the value sent in the original $url_time$ is in epoch. It would be easier for you to send that vs a human readable date.
If that's not possible then I recommend you first check the value you're getting in the epoch_time token via <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval> by using $epoch_time$ in a dashboard title or as follows |makeresults|eval A=$epoch_time$ this will make troubleshooting way easier for you.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks but url_time is generated in alert using $job.earliest_time$ so don't think possible to use epoch.
converting to epoch time is working fine it just converting back to human readable is not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case remove the strptime because $job.earliest_time$ is already in epoch. So no need to reconvert it 🙂 make it $url_time$ -3600 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no its not in epoch timeformat.
Defined it Email alert
?&host_token=$result.host_token$&form.time_token.earliest=$job.earliestTime$&form.time_token.latest=$job.latestTime$&Log_or_Live_token=Live
Output:
?&host_token=QCST_RSAT_V42&form.time_token.earliest=2019-05-09T10:45:00.000+02:00&form.time_token.latest=2019-05-09T10:55:00.000+02:00&Log_or_Live_token=Live
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please post what you're getting in the tokens as values ? your syntax seems correct
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
