topic XML epoch time to time in Splunk Search

XML epoch time to time

chevalier51 — Wed, 07 Oct 2020 18:04:13 GMT

I want to extract dailyTime from XML and convert it into time

<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0"> <criteria bop="AND"> <left> <expr> <interval serialization="custom"> <com.q1labs.ariel.Interval> <short>5000</short> <boolean>true</boolean> <short>5000</short> <boolean>true</boolean> </com.q1labs.ariel.Interval> </interval> </expr> <key class

Here is my props.conf

[XMLPARSING] KV_MODE = xml SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d") MAX_EVENTS = 600 EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+) TIME_FORMAT=%s%3N TIME_PREFIX=dailyTime= Lookahead=13 TRUNCATE = 1000 category = Custom disabled = false pulldown_type = true

but splunk is not converting it

Re: XML epoch time to time

richgalloway — Wed, 07 Oct 2020 18:13:07 GMT

Try

TIME_PREFIX=dailyTime="

Re: XML epoch time to time

chevalier51 — Thu, 08 Oct 2020 18:06:27 GMT

@richgalloway No not working

Re: XML epoch time to time

ashajambagi — Thu, 08 Oct 2020 18:49:11 GMT

Hey

try this
TIME_PREFIX=dailyTime\D+

Re: XML epoch time to time

chevalier51 — Thu, 08 Oct 2020 19:19:56 GMT

@ashajambagiNo not working

Re: XML epoch time to time

richgalloway — Thu, 08 Oct 2020 19:31:25 GMT

Did you restart the indexer/HF after changing props.conf? Are you checking new data? Changes to props.conf don't apply to data that's already indexed.

Re: XML epoch time to time

chevalier51 — Thu, 08 Oct 2020 20:02:48 GMT

@richgallowayYes off course

Re: XML epoch time to time

ashajambagi — Fri, 09 Oct 2020 04:16:06 GMT

@chevalier51 Epoch converter shows the date to be 2010,try increasing the MAX_DAYS_AGO

TIME_FORMAT=%s%3N TIME_PREFIX=dailyTime\D+ MAX_TIMESTAMP_LOOKAHEAD=13 MAX_DAYS_AGO=5000