I've been working on a Dashboard/Query that takes two date/time values (UTC) from Zscaler ZPA logs and converts to local timezone (PST). Some entries have a blank Time_Disconnected value and I do not know why.
Original (Zscaler):
TimestampAuthentication=2023-01-31T16:51:09.000Z TimestampUnAuthentication=2023-01-31T17:19:05.169Z
Query:
| rename TimestampAuthentication AS Time_Auth, TimestampUnAuthentication AS Time_Disconn | eval Time_Authenticated=strftime(strptime(Time_Auth, "%Y-%m-%dT%H:%M:%S.%z"), "%Y-%m-%d %H:%M:%S") | eval Time_Disconnected=strftime(strptime(Time_Disconn, "%Y-%m-%dT%H:%M:%S.%z"), "%Y-%m-%d %H:%M:%S") | sort -_time | table _time, Time_Auth, Time_Authenticated, Time_Disconn, Time_Disconnected
(Time_Auth and Time_Disconn are the raw values)
Result:
Why is it that the last entry does not have the Time_Disconnected field populated? I have seen a few of those conversions not working. Is my query incorrectly formatted in some way?
... View more