Solved: Splunk Enterprise Security: Threat Intelligence Au...

bohanlon_splunk · ‎01-20-2016

In Enterprise Security, the Threat Intelligence Audit dashboard is not displaying properly.
The _time and run_duration fields are incorrectly displayed when the user is in +GMT.

This is due to the strptime() conversion in the dashboard's search which looks like this:

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S-%z")

This will work only for -GMT (-%z), but will not work for any user in +GMT.

bohanlon_splunk · ‎01-20-2016

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

View solution in original post

bohanlon_splunk · ‎01-20-2016

Answering my own question.
This is seen in ES 3.3.0 and 4.0.1.
Bug logged as SOLNESS-8361.
Workaround is remove the extra -

i.e.

eval _time=strptime('row 1', "%Y-%m-%d%T%H:%M:%S%z")

dirkmeeuwsen · ‎01-21-2016

thanks for adding the solution!

Splunk Enterprise Security: Threat Intelligence Audit dashboard is not displaying properly due to strptime() conversion in dashboard search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor