Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can splunk recognize Chinese character timestamp

123tk
Loves-to-Learn Lots
‎02-07-2021 10:45 PM

1.How can I extract timestamp to correct time as following ?
2020/12/29 下午 02:39:45    "下午" means  PM   ==> 2020/12/29  14:39:45 
2020/12/29 上午 05:15:08      "上午" means AM   ==> 2020/12/29  05:15:08

2.If splunk can't recognize Chinese character, I change the time "下午" to PM and  "上午" to AM manually, can I extract timestamp as following?    

  I use "%Y/%m/%d %p %I:%M:%S" to extract time, but it fails.

2020/12/29 PM 02:39:45   ==> 2020/12/29  14:39:45 
2020/12/29 AM 05:15:08   ==> 2020/12/29  05:15:08

  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

123tk
Loves-to-Learn Lots
‎02-09-2021 12:47 AM

I spent the whole day and finally found out the solution:

%Y/%m/%d %P %I:%M:%S

use above to define timestamp, ALSO you have to clarify the name of the time(order_date)

for example as the csv file:   

order_date   product

2020/12/1 上午 11:01:46   cups

2020/12/16 下午 04:01:46  unberllas

and as the splunk ingests the file, you will get

_time

2020/12/1  11:01:46

2020/12/16  16:01:46

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-08-2021 02:04 AM

https://community.splunk.com/t5/Archive/How-do-I-search-for-Chinese-characters-in-Splunk/m-p/393544

this question seems like a good fit for your case.. maybe, you can create if cases for the AM and PM and then manually do the calculations.

 

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configurecharactersetencoding

pls check the Chinese character set - "GB_2312-80 (aka, CHINESE, ISO-IR-58, CSISO58GB231280)" 

try to use it and see if it picks up the Chinese characters.

 

on this question, 

https://community.splunk.com/t5/Getting-Data-In/how-to-recognize-timestamp-with-Chinese-character/td...

its said that "Currently we do not support Chinese month like 一月, ......十二月.
SPL-67688 has been created for getting supported, will be fixed in the later version."...

but searching for "SPL-67688" fails, not sure of how to proceed. if the above two ideas didnt work, you should check with Splunk Support only. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

to4kawa
Ultra Champion
‎02-08-2021 02:02 AM

'上午' → \x{4e0a}\x{5348}  '下午' → \x{4e0b}\x{5348} 
please modify datetime.xml
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Data/Configuredatetimexml

 

<define name="_ampm" extract="ampm">
        <text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>

 

I wrote that, but there is a setting.

 

props.conf

 

TIME_FORMAT = %Y/%m/%d %p %I:%M:%S

 

 sample:

 

index=_internal | head 1 | fields _raw
| eval _raw="2020/12/29 下午 02:39:45    \"下午\" means  PM   ==> 2020/12/29  14:39:45 
2020/12/29 上午 05:15:08      \"上午\" means AM   ==> 2020/12/29  05:15:08"
| multikv noheader=t
| rex "(?<time>.*?)\""
| eval time_epoch=strptime(time,"%Y/%m/%d %p %I:%M:%S")
| convert ctime(time_epoch) as time1
| table time time_epoch time1

 

well, AM/PM is %P not %p

0 Karma
Reply

123tk
Loves-to-Learn Lots
‎02-08-2021 06:54 PM 
<datetime>
    <define name="ccm_1_date" extract="year,month,day">
        <text><![CDATA[\s(\d{4})/(\d{2})/(\d{1-2})]]></text>
    </define>
<define name="_ampm" extract="ampm">
        <text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
</define>
  <define name="ccm_1_time" extract="hour,minute,second">
     <text><![CDATA[\w{2}s(\d{2}):(\d{2}):(\d{2})]]></text>
  </define>

<timePatterns>
      <use name="ccm_1_time"/>
</timePatterns>
<datePatterns>
      <use name="ccm_1_date"/> 
</datePatterns>

</datetime>

hi thanks you for the reply

I found out that if the time is "2020/12/1 12:01:46 上午" the system can recognize Chinese and extract the time correctly to "20/12/01 0:01:46.000"

However, the system cannot extract  "2020/12/1 上午 12:01:46 " correctly.

I try to write the datetime2.xml like this:

 

But it fails.......

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...