search

splunk / splunk-sdk-csharp-pcl

Splunk's next generation C# SDK
https://dev.splunk.com/enterprise/docs/csharp
Apache License 2.0
64 stars 46 forks source link

Different time formats returned with the same query #69

Closed grbinho closed 2 years ago

grbinho commented 7 years ago

Hi,

i ran into a strange behavior when trying different ways of data export from Splunk. I tried to use jobs to do searches with service.GetSearchResultsAsync and service.ExportSearchPreviewsAsync but it seems that they format time differently. Here are the examples of what i did.

First the job version.

using (var httpClientHandler = new WebRequestHandler())
{
    httpClientHandler.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
    httpClientHandler.ReadWriteTimeout = (int)TimeSpan.FromMinutes(10).TotalMilliseconds;

    using (var context = new Context(Scheme.Https, _configuration.SplunkHost, _configuration.SplunkPort, TimeSpan.FromMinutes(5), httpClientHandler))
    {
        using (var service = new Service(context))
        {
            try
            {
                await service.LogOnAsync(_configuration.SplunkUsername, _configuration.SplunkPassword);
            }
            catch (AuthenticationFailureException authException)
            {
                _logger.Error("Splunk server: Login error", authException);
                throw;
            }

            var job = await service.Jobs.CreateAsync(query);

            using (var stream = await job.GetSearchResultsAsync())
            {
                foreach (var item in stream)
                {
                    resultFiller(item);
                }
            }                         
        }
    }
}

In this case item will have _time formatted like this

"2017-01-24T11:46:59.997+01:00"

Then if we use export,

using (var httpClientHandler = new WebRequestHandler())
{
    httpClientHandler.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
    httpClientHandler.ReadWriteTimeout = (int)TimeSpan.FromMinutes(10).TotalMilliseconds;

    using (var context = new Context(Scheme.Https, _configuration.SplunkHost, _configuration.SplunkPort, TimeSpan.FromMinutes(5), httpClientHandler))
    {
        using (var service = new Service(context))
        {
            try
            {
                await service.LogOnAsync(_configuration.SplunkUsername, _configuration.SplunkPassword);
            }
            catch (AuthenticationFailureException authException)
            {
                _logger.Error("Splunk server: Login error", authException);
                throw;
            }

            using (var searchPreviewStream = await service.ExportSearchPreviewsAsync(query))
            {
                foreach (var preview in searchPreviewStream)
                {
                    foreach (var item in preview.Results)
                    {
                        resultFiller(item);
                    }
                }
            }
        }
    }
}

we get _time in another format with zone designated with codes and not hours.

"2017-01-24 11:46:59.997 CET"

Is there a concrete reason for this, or is this a bug?

I would expect both of them to have the same default behavior.

ncanumalla-splunk commented 2 years ago

This SDK is deprecated and no longer under active development.