Help Center Logpoint Docs Idea Portal Logpoint.com
Solved

Why this query is wrong?

  • 11 October 2021
  • 6 replies
  • 190 views
H
Userlevel 1

Hi,

when I start a query

 | chart min(log_ts) as min_ts  by min_ts, source_address, destination_address 

I receive the error message:

could not convert string to float: '/'.

But why?

An example for log_ts: 2021/10/11 11:04:54

I use 

| chart count() as "Count", min(log_ts) as min_ts, max(log_ts) as max_ts

in a macro and I am sure that in fewer versions of Logpoint I didn’t receive this error message.

Actually I use Logpoint version 6.12.0

Best regards,

Hans Vedder

icon

Best answer by Anonymous 20 October 2021, 09:33

View original

6 replies

Nicolai Thorndahl
Userlevel 3
Badge +8

Hi Hans 

Most likely what’s going wrong is that it takes log_ts as a string rather than an epoch, and min() expects a number, so I would try to convert the timestamp to epoch and do the search. 

Kind regards

Nicolai

Kind Regards, Nicolai
Nicolai Thorndahl
Userlevel 3
Badge +8

Seems like the format has changed in 6.12: 

 

 

And here from 6.11.1
 

 

Kind Regards, Nicolai
Nicolai Thorndahl
Userlevel 3
Badge +8

So tested a few things, seems that it doesn’t like the “_” in the as min_ts so try a name without “_” in it, or put single quotes around the min_ts 

 | chart min(log_ts) as 'min_ts'  by min_ts, source_address, destination_address  

Kind Regards, Nicolai
H
Userlevel 1

Hi Nicolai,

many thanks for looking to my question.

One question in addition.

6.11.1 shows min(log_ts) in format datetime. 

The query you provided me

 | chart min(log_ts) as 'min_ts'  by min_ts, source_address, destination_address  

shows min_ts in integer format.

How is it possible to change the format to datetime? 

Very interesting: I use the query in an alert without single quotes. The email notification with{{row.min_ts|datetime}} shows me min_ts in datetime format. No difference between 6.11.1 and 6.12.

Does sehr search engine use another min function as the email notification of the alert?

Best regards,

Hans Vedder

 

Nicolai Thorndahl
Userlevel 3
Badge +8

Hi Hans 

For converting the the timestamp from integer (epoch format) to a human readable format we can use the strftime fucntion (https://docs.logpoint.com/docs/evaluation-process-plugin/en/latest/DateTime%20functions.html#strptime

E.g. 

| process eval("search_date=strftime(min_ts, 'yyyy-mm-dd')")
Would return the timestamp in the format listed after the comma:
1634554729 → 2021-10-18

The issues with the differences between 6.11.2 and 6.12 have been accepted as a bug that will be fixed in the next flex patch. 

As for the difference between search engine and alert engine, I know that the flow goes through different services so it could be why there are different outcomes. 

Kind regards
Nicolai 

Kind Regards, Nicolai
A

Hi @Hans Vedder and All :)

 

The patch Nicolai mentioned is available now.

 

You can download it here: https://servicedesk.logpoint.com/hc/en-us/articles/4409222763665-LogPoint-v6-12-1

and access the documentation here: https://docs.logpoint.com/docs/logpoint-overview/en/latest/LogPoint%20Docs.html :)

Reply


Terms & ConditionsCookie settings