`xd_index`_alerts SiteName="*" ServerType="Member"| eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S")." GMT+8","%Y-%m-%dT%H:%M:%S%Z")-_time) | stats latest(_time) AS latest_alert_time latest(Value) AS Value latest(Value2) AS Value2 latest(Severity) AS Severity BY SiteName orig_host AlertName Details | convert ctime(latest_alert_time) AS latest_alert_time | eval View = case( like(AlertName, "%Service Critical"), "services_group", like(AlertName, "CPU %"), "host_proc_detail", like(AlertName, "Memory %"), "host_mem_detail", like(AlertName, "Pages/sec%"), "host_mem_detail", like(AlertName, "Disk%"), "host_disk_detail" ) | sort latest_alert_time |Eval Value=round(Value,0) |Eval Value2=round(Value2,0) |table latest_alert_time SiteName AlertName Severity orig_host Details Value Value2 View | rename latest_alert_time AS "Time" AlertName AS Alert orig_host AS Host SiteName AS Site | sort -Time |
I am using this to find some data, but my "Time" field, also known as latest_alert_time, always returns nanoseconds even though my strptime and strftime eval has no %N or %6N in it. Any idea why?
↧