Getting Data In
Highlighted

Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Explorer

Hello everybody!
I have trouble with parsing time of event in time indexing.Fields of time in my raw event have hex system - this unix time. How i can to convert from hex to decimal and convert from unix to human readble date time. But i wanna do this before indexing, fore example in props.conf and transforms.conf, i need write down this time in _time

0 Karma
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

SplunkTrust
SplunkTrust

Please share some sample data.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Explorer

For example:

<telegram time_formatted="undefined date" time="0x56A7DEC7" type="16" datalen="2001"> // this is the title of each event.
0 Karma
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Path Finder

I tried to convert the time value(0x56A7DEC7) using below link and got the date as "GMT: Tue, 26 Jan 2016 21:01:59".

https://www.epochconverter.com/hex

If the conversion is accurate , you can follow the xml option mentioned in below post.

https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html

View solution in original post

0 Karma
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Explorer

I tried like this:

https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html

and like this:

https://answers.splunk.com/answers/30852/hex-time-stamp-extraction-issues-with-datetime-config.html

But it did not work out.

Below my configurations:

props.conf

[test_write_hextime_to_timestamp]
DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml
MAX_TIMESTAMP_LOOKAHEAD = 8
TIME_PREFIX = time="
BREAK_ONLY_BEFORE = <telegram
MUST_BREAK_AFTER = </telegram>
REPORT-test-hex-convert = REPORT-test-hex-convert
EVAL-date_time_test = strftime(tonumber(time, 16), "%m:%d:%Y %H:%M:%S")

myhexepoch_datetime.xml

<define name="_hexepoch" extract="hexepoch">
    <text><![CDATA[time="0x([\da-fA-F]{8})]]></text>
</define>
<timePatterns>
    <use name="_hexepoch"/>
</timePatterns>
<datePatterns>
</datePatterns>
0 Karma
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Path Finder

I tried with a sample data and it does work. Can double check stanzas and file permissions..?

Here are the configs i have. (Avoid the spaces in the config file line beginnings)

props.conf

[your sourcetype]
TIME_PREFIX = time="
MAX_TIMESTAMP_LOOKAHEAD = 16
BREAK_ONLY_BEFORE = <telegram
MUST_BREAK_AFTER = </telegram>
DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml

$SPLUNKHOME/etc/myhexepochdatetime.xml

<datetime>
          <define name="_hexepoch" extract="hexepoch">
            <text><![CDATA[0x([A-Fa-f0-9]{8})]]></text>
          </define>
          <timePatterns>
            <use name="_hexepoch"/>
          </timePatterns>
          <datePatterns>
          </datePatterns>
</datetime>
Highlighted

Re: Convert DateTime format befor indexing and write in _time. Time of event have hex format.

Explorer

Many thanks!!! Success!
Your configuration is rigth.

0 Karma