Splunk Enterprise Security

Splunk Enterprise Security: Threat Intelligence Audit dashboard is not displaying properly due to strptime() conversion in dashboard search

bohanlon_splunk
Splunk Employee
Splunk Employee

In Enterprise Security, the Threat Intelligence Audit dashboard is not displaying properly.
The _time and run_duration fields are incorrectly displayed when the user is in +GMT.

This is due to the strptime() conversion in the dashboard's search which looks like this:

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S-%z") 

This will work only for -GMT (-%z), but will not work for any user in +GMT.

0 Karma
1 Solution

bohanlon_splunk
Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

0 Karma

dirkmeeuwsen
Explorer

thanks for adding the solution!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!