Hi,
when I start a query
| chart min(log_ts) as min_ts by min_ts, source_address, destination_address
I receive the error message:
could not convert string to float: '/'.
But why?
An example for log_ts: 2021/10/11 11:04:54
I use
| chart count() as "Count", min(log_ts) as min_ts, max(log_ts) as max_ts
in a macro and I am sure that in fewer versions of Logpoint I didn’t receive this error message.
Actually I use Logpoint version 6.12.0
Best regards,
Hans Vedder
Hi Hans
Most likely what’s going wrong is that it takes log_ts as a string rather than an epoch, and min() expects a number, so I would try to convert the timestamp to epoch and do the search.
Kind regards
Nicolai
Seems like the format has changed in 6.12:
And here from 6.11.1
So tested a few things, seems that it doesn’t like the “_” in the as min_ts so try a name without “_” in it, or put single quotes around the min_ts
| chart min(log_ts) as 'min_ts' by min_ts, source_address, destination_address
Hi Nicolai,
many thanks for looking to my question.
One question in addition.
6.11.1 shows min(log_ts) in format datetime.
The query you provided me
| chart min(log_ts) as 'min_ts' by min_ts, source_address, destination_address
shows min_ts in integer format.
How is it possible to change the format to datetime?
Very interesting: I use the query in an alert without single quotes. The email notification with{{row.min_ts|datetime}} shows me min_ts in datetime format. No difference between 6.11.1 and 6.12.
Does sehr search engine use another min function as the email notification of the alert?
Best regards,
Hans Vedder
Hi Hans
For converting the the timestamp from integer (epoch format) to a human readable format we can use the strftime fucntion (https://docs.logpoint.com/docs/evaluation-process-plugin/en/latest/DateTime%20functions.html#strptime)
E.g.
| process eval("search_date=strftime(min_ts, 'yyyy-mm-dd')")
Would return the timestamp in the format listed after the comma:
1634554729 → 2021-10-18
The issues with the differences between 6.11.2 and 6.12 have been accepted as a bug that will be fixed in the next flex patch.
As for the difference between search engine and alert engine, I know that the flow goes through different services so it could be why there are different outcomes.
Kind regards
Nicolai
Hi
The patch Nicolai mentioned is available now.
You can download it here: https://servicedesk.logpoint.com/hc/en-us/articles/4409222763665-LogPoint-v6-12-1
and access the documentation here: https://docs.logpoint.com/docs/logpoint-overview/en/latest/LogPoint%20Docs.html :)
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
