Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

update humar readable Time

AKG1_old1
Builder
‎05-09-2019 03:41 AM

Hi, I am passing human readable time using URL to my dashboard and looking to change this time by 1 hr earlier.

Example 

Passing Time in URL : 2019-05-09T10:30:00.000+02:00
Expectation :  2019-05-09T09:30:00.000+02:00

I have tried converting it to epoch and subtract 3600. After converted it back to same format. but not working as per expectation.

<search>
    <query>| makeresults count=1 annotate=false </query>
    <done>
      <condition match="match($ALERT_TOKEN$,&quot;true&quot;)">
         <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval>
         <eval token="final_time">strftime($epoch_time$,"%Y-%m-%dT%H:%M:%S.%3f%z")</eval>
      </condition>
    </done>
  </search>

This logic works in search but not in dashboard code. Any suggestion what I am missing here ?

| makeresults 
| eval TIME="2019-05-09T10:30:00.000+02:00" 
| eval TIME1=strptime(TIME,"%Y-%m-%dT%H:%M:%S")-3600 
| eval TIME2=strftime(TIME1,"%Y-%m-%dT%H:%M:%S.%3f%z") 
| table TIME TIME1 TIME2
0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 05:25 AM

Hi @agoyal,

I tried testing around with the token and it seemed to work best when the value sent in the original $url_time$ is in epoch. It would be easier for you to send that vs a human readable date.

If that's not possible then I recommend you first check the value you're getting in the epoch_time token via <eval token="epoch_time">strptime($url_time$,"%Y-%m-%dT%H:%M:%S")-3600</eval> by using $epoch_time$ in a dashboard title or as follows |makeresults|eval A=$epoch_time$ this will make troubleshooting way easier for you.

Cheers,
David

0 Karma
Reply

AKG1_old1
Builder
‎05-09-2019 05:49 AM

Thanks but url_time is generated in alert using $job.earliest_time$ so don't think possible to use epoch.
converting to epoch time is working fine it just converting back to human readable is not working.

0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 06:02 AM

In that case remove the strptime because $job.earliest_time$ is already in epoch. So no need to reconvert it 🙂 make it $url_time$ -3600 😉

0 Karma
Reply

AKG1_old1
Builder
‎05-09-2019 06:17 AM

no its not in epoch timeformat.

Defined it Email alert
?&host_token=$result.host_token$&form.time_token.earliest=$job.earliestTime$&form.time_token.latest=$job.latestTime$&Log_or_Live_token=Live

Output:
?&host_token=QCST_RSAT_V42&form.time_token.earliest=2019-05-09T10:45:00.000+02:00&form.time_token.latest=2019-05-09T10:55:00.000+02:00&Log_or_Live_token=Live

0 Karma
Reply

DavidHourani
Super Champion
‎05-09-2019 05:00 AM

Could you please post what you're getting in the tokens as values ? your syntax seems correct

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...