Why this query is wrong?

Hans Vedder

October 11, 2021 10:04

Hi,

when I start a query

| chart min(log_ts) as min_ts by min_ts, source_address, destination_address

I receive the error message:

could not convert string to float: '/'.

But why?

An example for log_ts: 2021/10/11 11:04:54

I use

| chart count() as "Count", min(log_ts) as min_ts, max(log_ts) as max_ts

in a macro and I am sure that in fewer versions of Logpoint I didn’t receive this error message.

Actually I use Logpoint version 6.12.0

Best regards,

Hans Vedder

6 comments

Date Votes

Nicolai Thorndahl October 11, 2021 16:14

Hi Hans

Most likely what’s going wrong is that it takes log_ts as a string rather than an epoch, and min() expects a number, so I would try to convert the timestamp to epoch and do the search.

Kind regards

Nicolai

Nicolai Thorndahl October 11, 2021 16:19

Seems like the format has changed in 6.12:

And here from 6.11.1

Nicolai Thorndahl October 11, 2021 16:35

So tested a few things, seems that it doesn’t like the “_” in the as min_ts so try a name without “_” in it, or put single quotes around the min_ts

| chart min(log_ts) as 'min_ts' by min_ts, source_address, destination_address

Hans Vedder October 15, 2021 09:51

Hi Nicolai,

many thanks for looking to my question.

One question in addition.

6.11.1 shows min(log_ts) in format datetime.

The query you provided me

| chart min(log_ts) as 'min_ts' by min_ts, source_address, destination_address

shows min_ts in integer format.

How is it possible to change the format to datetime?

Very interesting: I use the query in an alert without single quotes. The email notification with{{row.min_ts|datetime}} shows me min_ts in datetime format. No difference between 6.11.1 and 6.12.

Does sehr search engine use another min function as the email notification of the alert?

Best regards,

Hans Vedder

Nicolai Thorndahl October 18, 2021 11:04

Hi Hans

For converting the the timestamp from integer (epoch format) to a human readable format we can use the strftime fucntion ( https://docs.logpoint.com/docs/evaluation-process-plugin/en/latest/DateTime%20functions.html#strptime )

E.g.

| process eval("search_date=strftime(min_ts, 'yyyy-mm-dd')")
Would return the timestamp in the format listed after the comma:
1634554729 → 2021-10-18

The issues with the differences between 6.11.2 and 6.12 have been accepted as a bug that will be fixed in the next flex patch.

As for the difference between search engine and alert engine, I know that the flow goes through different services so it could be why there are different outcomes.

Kind regards
Nicolai

CSO Integrations October 20, 2021 07:33

Hi @Hans Vedder and All :)

The patch Nicolai mentioned is available now.

You can download it here: https://servicedesk.logpoint.com/hc/en-us/articles/4409222763665-LogPoint-v6-12-1

and access the documentation here: https://docs.logpoint.com/docs/logpoint-overview/en/latest/LogPoint%20Docs.html :)

Please sign in to leave a comment.