- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can splunk recognize Chinese character timestamp
1.How can I extract timestamp to correct time as following ?
2020/12/29 δΈε 02:39:45 "δΈε" means PM ==> 2020/12/29 14:39:45
2020/12/29 δΈε 05:15:08 "δΈε" means AM ==> 2020/12/29 05:15:08
2.If splunk can't recognize Chinese character, I change the time "δΈε" to PM and "δΈε" to AM manually, can I extract timestamp as following?
I use "%Y/%m/%d %p %I:%M:%S" to extract time, but it fails.
2020/12/29 PM 02:39:45 ==> 2020/12/29 14:39:45
2020/12/29 AM 05:15:08 ==> 2020/12/29 05:15:08
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spent the whole day and finally found out the solution:
%Y/%m/%d %P %I:%M:%Suse above to define timestamp, ALSO you have to clarify the name of the time(order_date)
for example as the csv file:
order_date product
2020/12/1 δΈε 11:01:46 cups
2020/12/16 δΈε 04:01:46 unberllas
and as the splunk ingests the file, you will get
_time
2020/12/1 11:01:46
2020/12/16 16:01:46
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://community.splunk.com/t5/Archive/How-do-I-search-for-Chinese-characters-in-Splunk/m-p/393544
this question seems like a good fit for your case.. maybe, you can create if cases for the AM and PM and then manually do the calculations.
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configurecharactersetencoding
pls check the Chinese character set - "GB_2312-80 (aka, CHINESE, ISO-IR-58, CSISO58GB231280)"
try to use it and see if it picks up the Chinese characters.
on this question,
its said that "Currently we do not support Chinese month like δΈζ, ......εδΊζ.
SPL-67688 has been created for getting supported, will be fixed in the later version."...
but searching for "SPL-67688" fails, not sure of how to proceed. if the above two ideas didnt work, you should check with Splunk Support only.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'δΈε'γβγ\x{4e0a}\x{5348} 'δΈε'γβγ\x{4e0b}\x{5348}
please modify datetime.xml
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configuredatetimexml
<define name="_ampm" extract="ampm">
<text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>
I wrote that, but there is a setting.
props.conf
TIME_FORMAT = %Y/%m/%d %p %I:%M:%S
sample:
index=_internal | head 1 | fields _raw
| eval _raw="2020/12/29 δΈε 02:39:45 \"δΈε\" means PM ==> 2020/12/29 14:39:45
2020/12/29 δΈε 05:15:08 \"δΈε\" means AM ==> 2020/12/29 05:15:08"
| multikv noheader=t
| rex "(?<time>.*?)\""
| eval time_epoch=strptime(time,"%Y/%m/%d %p %I:%M:%S")
| convert ctime(time_epoch) as time1
| table time time_epoch time1
well, AM/PM is %P not %p
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<datetime>
<define name="ccm_1_date" extract="year,month,day">
<text><![CDATA[\s(\d{4})/(\d{2})/(\d{1-2})]]></text>
</define>
<define name="_ampm" extract="ampm">
<text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>
<define name="ccm_1_time" extract="hour,minute,second">
<text><![CDATA[\w{2}s(\d{2}):(\d{2}):(\d{2})]]></text>
</define>
<timePatterns>
<use name="ccm_1_time"/>
</timePatterns>
<datePatterns>
<use name="ccm_1_date"/>
</datePatterns>
</datetime>hi thanks you for the reply
I found out that if the time is "2020/12/1 12:01:46 δΈε" the system can recognize Chinese and extract the time correctly to "20/12/01 0:01:46.000"
However, the system cannot extract "2020/12/1 δΈε 12:01:46 " correctly.
I try to write the datetime2.xml like this:
But it fails.......
