Solved: How to concatenate 2 fields to create a timestamp ...

virginiehang · ‎04-13-2018

Hello,

I need to import the below file:

<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>11:18:00 </MessageEmissionTime>

The timestamp should be the concatenation of Date and Time.... to be like 2017-12-04 11:18:00. How can I do that?

adonio · ‎04-16-2018

hello there,

created small file with only the combination of the fields for timestamp and one line of data:

<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>11:18:00 </MessageEmissionTime>
<someData>data1</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>12:18:00 </MessageEmissionTime>
<someData>data2</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>13:18:00 </MessageEmissionTime>
<someData>data3</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>14:18:00 </MessageEmissionTime>
<someData>data4</someData>

was able to extract correct timestamp with these props:

[ sourcetype_here ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
MUST_BREAK_AFTER=</someData>
TIME_PREFIX=<MessageEmissionDate>

see screenshot below:

alt text

hope it helps

if it doesnt solve it, can you kindly provide sample data (full event/s)

View solution in original post

adonio · ‎04-16-2018

hello there,

created small file with only the combination of the fields for timestamp and one line of data:

<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>11:18:00 </MessageEmissionTime>
<someData>data1</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>12:18:00 </MessageEmissionTime>
<someData>data2</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>13:18:00 </MessageEmissionTime>
<someData>data3</someData>
<MessageEmissionDate>2017-12-04</MessageEmissionDate>
 <MessageEmissionTime>14:18:00 </MessageEmissionTime>
<someData>data4</someData>

was able to extract correct timestamp with these props:

[ sourcetype_here ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
MUST_BREAK_AFTER=</someData>
TIME_PREFIX=<MessageEmissionDate>

see screenshot below:

alt text

hope it helps

if it doesnt solve it, can you kindly provide sample data (full event/s)

virginiehang · ‎04-17-2018

@adonio thanks for your help! it is ok on my side now!

How to concatenate 2 fields to create a timestamp at import stage

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies