Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can splunk recognize Chinese character timestamp

123tk
Loves-to-Learn Lots
‎02-07-2021 10:45 PM

1.How can I extract timestamp to correct time as following ?
2020/12/29 下午 02:39:45    "下午" means  PM   ==> 2020/12/29  14:39:45 
2020/12/29 上午 05:15:08      "上午" means AM   ==> 2020/12/29  05:15:08

2.If splunk can't recognize Chinese character, I change the time "下午" to PM and  "上午" to AM manually, can I extract timestamp as following?    

  I use "%Y/%m/%d %p %I:%M:%S" to extract time, but it fails.

2020/12/29 PM 02:39:45   ==> 2020/12/29  14:39:45 
2020/12/29 AM 05:15:08   ==> 2020/12/29  05:15:08

  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

123tk
Loves-to-Learn Lots
‎02-09-2021 12:47 AM

I spent the whole day and finally found out the solution:

%Y/%m/%d %P %I:%M:%S

use above to define timestamp, ALSO you have to clarify the name of the time(order_date)

for example as the csv file:   

order_date   product

2020/12/1 上午 11:01:46   cups

2020/12/16 下午 04:01:46  unberllas

and as the splunk ingests the file, you will get

_time

2020/12/1  11:01:46

2020/12/16  16:01:46

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-08-2021 02:04 AM

https://community.splunk.com/t5/Archive/How-do-I-search-for-Chinese-characters-in-Splunk/m-p/393544

this question seems like a good fit for your case.. maybe, you can create if cases for the AM and PM and then manually do the calculations.

 

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configurecharactersetencoding

pls check the Chinese character set - "GB_2312-80 (aka, CHINESE, ISO-IR-58, CSISO58GB231280)" 

try to use it and see if it picks up the Chinese characters.

 

on this question, 

https://community.splunk.com/t5/Getting-Data-In/how-to-recognize-timestamp-with-Chinese-character/td...

its said that "Currently we do not support Chinese month like 一月, ......十二月.
SPL-67688 has been created for getting supported, will be fixed in the later version."...

but searching for "SPL-67688" fails, not sure of how to proceed. if the above two ideas didnt work, you should check with Splunk Support only. 

0 Karma
Reply

to4kawa
Ultra Champion
‎02-08-2021 02:02 AM

'上午' → \x{4e0a}\x{5348}  '下午' → \x{4e0b}\x{5348} 
please modify datetime.xml
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configuredatetimexml

 

<define name="_ampm" extract="ampm">
        <text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>

 

I wrote that, but there is a setting.

 

props.conf

 

TIME_FORMAT = %Y/%m/%d %p %I:%M:%S

 

 sample:

 

index=_internal | head 1 | fields _raw
| eval _raw="2020/12/29 下午 02:39:45    \"下午\" means  PM   ==> 2020/12/29  14:39:45 
2020/12/29 上午 05:15:08      \"上午\" means AM   ==> 2020/12/29  05:15:08"
| multikv noheader=t
| rex "(?<time>.*?)\""
| eval time_epoch=strptime(time,"%Y/%m/%d %p %I:%M:%S")
| convert ctime(time_epoch) as time1
| table time time_epoch time1

 

well, AM/PM is %P not %p

0 Karma
Reply

123tk
Loves-to-Learn Lots
‎02-08-2021 06:54 PM 
<datetime>
    <define name="ccm_1_date" extract="year,month,day">
        <text><![CDATA[\s(\d{4})/(\d{2})/(\d{1-2})]]></text>
    </define>
<define name="_ampm" extract="ampm">
        <text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>
  <define name="ccm_1_time" extract="hour,minute,second">
     <text><![CDATA[\w{2}s(\d{2}):(\d{2}):(\d{2})]]></text>
  </define>

<timePatterns>
      <use name="ccm_1_time"/>
</timePatterns>
<datePatterns>
      <use name="ccm_1_date"/> 
</datePatterns>

</datetime>

hi thanks you for the reply

I found out that if the time is "2020/12/1 12:01:46 上午" the system can recognize Chinese and extract the time correctly to "20/12/01 0:01:46.000"

However, the system cannot extract  "2020/12/1 上午 12:01:46 " correctly.

I try to write the datetime2.xml like this:

 

But it fails.......

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...