Splunk strptime returning NaN

1
votes

I have a eval on a dashboard that used to work but it stopped and I havent been able to figure out why.

On the dashboard im taking the _time and turning it into a human readable string using strftime(_time, "%m/%d/%Y %H:%M:%S %Z") and that works great. The problem comes in when I try to convert it back later for making a link to a search.

For example:

<eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval>

Used to work and return the unix time that I added 30m to, but now strptime just returns NaN but this is the right format. I've checked out all the Splunk docs and everything looks right but it still is broke.

Any idea what I could be doing wrong?

Here is the snippet from my field row im making:

<condition field="Search">
            <eval token="startTimestamp">$row.Timestamp$</eval>
            <eval token="endTimestamp">relative_time(strptime($row.Timestamp$, "%m/%d/%Y %H:%M:%S %Z"), "+30m")</eval>
            <eval token="corKey">$row.Correlation Key$</eval>
            <link target="_blank">search?q=(index=### OR index=###) earliest=$startTimestamp$ latest=$endTimestamp$ correlationKey=$corKey$</link>
</condition>

I have taken out everything but the $row.Timestamp$ and that returns something like 10/03/2021 07:41:27 PDT which is the format that I put into it, I just cant do the reverse. I have copied and pasted the format from the strftime and still no luck converting it back so I can do math on it.

Any suggestions?

1
dashboardsplunksplunk-query

1 Answers

0
votes

I don't think it's anything you're doing wrong... but it does seem that strptime/strftime in the dashboard evals don't seem to like %Z for whatever reason. (My Splunk Cloud stack is on version 8.2.2107.1 )

Doing the roundtrip from epoch to string and back within SPL itself seems to work fine... it's just the (javascript driven) dashboard side that doesn't seem to work quite right with timezone abbreviations.

relative_time from an epoch value works fine... and str[pf]time using UTC offsets with %z format also seems to work (which those could be workarounds for you)

I threw together a quick test dashboard to illustrate such things with the variations in formats to see differences... If you (or someone from your company) is on a current support entitlement, I would log a case for this. (I don't think I see anything related in the published known issues at least).

<dashboard version="1.1">
  <label>Teddybear Time Drilldown Test</label>
  <row>
    <panel>
      <table>
        <search>
          <query>
            | makeresults 
            | eval epoch="1633272087", format=mvappend("%m/%d/%Y %H:%M:%S %Z","%m/%d/%Y %H:%M:%S %z","%m/%d/%Y %H:%M:%S"), Search="Go This Row", Reset="Clear" 
            | fields - _time 
            | mvexpand format 
            | eval Timestamp=strftime(epoch,format), roundtrip=strptime(Timestamp,format)
            | table Search, Reset, *
          </query>
          <earliest>-1s</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">true</option>
        <drilldown>
          <condition field="Search">
            <eval token="timestamp">$row.Timestamp$</eval>
            <eval token="strptime">strptime($row.Timestamp$, $row.format$)</eval>
            <eval token="strftime">strftime($row.epoch$, $row.format$)</eval>
            <eval token="relative_time">relative_time($row.epoch$,"-30m")</eval>
          </condition>
          <condition field="Reset">
            <unset token="timestamp"/> <unset token="strptime"/> <unset token="strftime"/> <unset token="relative_time"/>
          </condition>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>timestamp</title>
      <html>
        <h2>$timestamp|s$</h2>
      </html>
    </panel>
    <panel>
      <title>strptime</title>
      <html>
        <h2>$strptime|s$</h2>
      </html>
    </panel>
    <panel>
      <title>strftime</title>
      <html>
        <h2>$strftime|s$</h2>
      </html>
    </panel>
    <panel>
      <title>relative_time</title>
      <html>
        <h2>$relative_time|s$</h2>
      </html>
    </panel>
  </row>
</dashboard>