topic Re: Can splunk recognize Chinese character timestamp in Getting Data In

Can splunk recognize Chinese character timestamp

123tk — Mon, 08 Feb 2021 06:45:20 GMT

1.How can I extract timestamp to correct time as following ?
2020/12/29 下午 02:39:45 "下午" means PM ==> 2020/12/29 14:39:45
2020/12/29 上午 05:15:08 "上午" means AM ==> 2020/12/29 05:15:08

2.If splunk can't recognize Chinese character, I change the time "下午" to PM and "上午" to AM manually, can I extract timestamp as following?

I use "%Y/%m/%d %p %I:%M:%S" to extract time, but it fails.

2020/12/29 PM 02:39:45 ==> 2020/12/29 14:39:45
2020/12/29 AM 05:15:08 ==> 2020/12/29 05:15:08

Re: Can splunk recognize Chinese character timestamp

to4kawa — Mon, 08 Feb 2021 10:33:34 GMT

'上午'　→　\x{4e0a}\x{5348} '下午'　→　\x{4e0b}\x{5348}
please modify datetime.xml
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configuredatetimexml

I wrote that, but there is a setting.

props.conf

TIME_FORMAT = %Y/%m/%d %p %I:%M:%S

sample:

well, AM/PM is %P not %p

Re: Can splunk recognize Chinese character timestamp

inventsekar — Mon, 08 Feb 2021 10:04:05 GMT

https://community.splunk.com/t5/Archive/How-do-I-search-for-Chinese-characters-in-Splunk/m-p/393544

this question seems like a good fit for your case.. maybe, you can create if cases for the AM and PM and then manually do the calculations.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configurecharactersetencoding

pls check the Chinese character set - "GB_2312-80 (aka, CHINESE, ISO-IR-58, CSISO58GB231280)"

try to use it and see if it picks up the Chinese characters.

on this question,

https://community.splunk.com/t5/Getting-Data-In/how-to-recognize-timestamp-with-Chinese-character/td-p/30576?sort=oldest

its said that "Currently we do not support Chinese month like 一月, ......十二月.
SPL-67688 has been created for getting supported, will be fixed in the later version."...

but searching for "SPL-67688" fails, not sure of how to proceed. if the above two ideas didnt work, you should check with Splunk Support only.

Re: Can splunk recognize Chinese character timestamp

123tk — Tue, 09 Feb 2021 02:55:38 GMT

hi thanks you for the reply

I found out that if the time is "2020/12/1 12:01:46 上午" the system can recognize Chinese and extract the time correctly to "20/12/01 0:01:46.000"

However, the system cannot extract "2020/12/1 上午 12:01:46 " correctly.

I try to write the datetime2.xml like this:

But it fails.......

Re: Can splunk recognize Chinese character timestamp

123tk — Tue, 09 Feb 2021 08:47:22 GMT

I spent the whole day and finally found out the solution:

%Y/%m/%d %P %I:%M:%S

use above to define timestamp, ALSO you have to clarify the name of the time(order_date)

for example as the csv file:

order_date product

2020/12/1 上午 11:01:46 cups

2020/12/16 下午 04:01:46 unberllas

and as the splunk ingests the file, you will get

_time

2020/12/1 11:01:46

2020/12/16 16:01:46