Solved: Datetime.xml - extracting hour that does not exist

twkan · ‎04-04-2013

Hello all,

I have a series of logs that looks like this:

200312,111523  -> this means 20 March 2012, 11:15:23 am
200312,53344  -> this means 20 March 2012, 05:33:44 am (note that the first 0 is missing in the hour)
200312,1428 -> this means 20 March 2012, 00:14:28 am (note that the first two 00 are missing in the hour)

I have already written the datetime.xml to cater for the first two scenarios. But for the 3rd one where the hour is totally missing, how do I cater for this on my datetime.xml?

Has anyone managed to think of a way to 'substitue' 00 as the hour if it's missing from the logs itself?

Thanks for any insights.

twkan · ‎04-04-2013

Okay, decided to write a script to pad the time with zeros before being indexed by Splunk.

View solution in original post

twkan · ‎04-04-2013

Okay, decided to write a script to pad the time with zeros before being indexed by Splunk.

Datetime.xml - extracting hour that does not exist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation