Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Convert DateTime format befor indexing and wri...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chernigin_yuri
Explorer
04-17-2017
02:58 AM
Hello everybody!
I have trouble with parsing time of event in time indexing.Fields of time in my raw event have hex system - this unix time. How i can to convert from hex to decimal and convert from unix to human readble date time. But i wanna do this before indexing, fore example in props.conf and transforms.conf, i need write down this time in _time
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
04-18-2017
03:09 AM
I tried to convert the time value(0x56A7DEC7) using below link and got the date as "GMT: Tue, 26 Jan 2016 21:01:59".
https://www.epochconverter.com/hex
If the conversion is accurate , you can follow the xml option mentioned in below post.
https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
04-18-2017
03:09 AM
I tried to convert the time value(0x56A7DEC7) using below link and got the date as "GMT: Tue, 26 Jan 2016 21:01:59".
https://www.epochconverter.com/hex
If the conversion is accurate , you can follow the xml option mentioned in below post.
https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chernigin_yuri
Explorer
04-20-2017
02:12 AM
I tried like this:
https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html
and like this:
https://answers.splunk.com/answers/30852/hex-time-stamp-extraction-issues-with-datetime-config.html
But it did not work out.
Below my configurations:
props.conf
[test_write_hextime_to_timestamp]
DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml
MAX_TIMESTAMP_LOOKAHEAD = 8
TIME_PREFIX = time="
BREAK_ONLY_BEFORE = <telegram
MUST_BREAK_AFTER = </telegram>
REPORT-test-hex-convert = REPORT-test-hex-convert
EVAL-date_time_test = strftime(tonumber(time, 16), "%m:%d:%Y %H:%M:%S")
my_hex_epoch_datetime.xml
<define name="_hexepoch" extract="hexepoch">
<text><![CDATA[time="0x([\da-fA-F]{8})]]></text>
</define>
<timePatterns>
<use name="_hexepoch"/>
</timePatterns>
<datePatterns>
</datePatterns>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
04-20-2017
03:57 AM
I tried with a sample data and it does work. Can double check stanzas and file permissions..?
Here are the configs i have. (Avoid the spaces in the config file line beginnings)
props.conf
[your sourcetype]
TIME_PREFIX = time="
MAX_TIMESTAMP_LOOKAHEAD = 16
BREAK_ONLY_BEFORE = <telegram
MUST_BREAK_AFTER = </telegram>
DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml
$SPLUNK_HOME/etc/my_hex_epoch_datetime.xml
<datetime>
<define name="_hexepoch" extract="hexepoch">
<text><![CDATA[0x([A-Fa-f0-9]{8})]]></text>
</define>
<timePatterns>
<use name="_hexepoch"/>
</timePatterns>
<datePatterns>
</datePatterns>
</datetime>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chernigin_yuri
Explorer
04-20-2017
06:10 AM
Many thanks!!! Success!
Your configuration is rigth.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
04-17-2017
05:05 AM
Please share some sample data.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chernigin_yuri
Explorer
04-17-2017
02:34 PM
For example:
<telegram time_formatted="undefined date" time="0x56A7DEC7" type="16" datalen="2001"> // this is the title of each event.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
