Solved: Re: Is it possible to set a conditional timestamp ...

amanno · ‎06-30-2017

I have an XML file with "items" that are being indexed. The issue is that these "items" can possibly have two different timestamps. At the time of indexing I want to specify the timestamp conditional on which one is available. So every item at least has timestamp1
and only some have timestamp2 but if timestamp2 exists I want that to be the timestamp seen by splunk if not then I want timestamp1. The TIME_PREFIXES would be different but I cannot seem to find a way to make the TIME_PREFIX conditional.

Any ideas?

woodcock · ‎06-30-2017

Like this:

TIME_PREFIX=(<timestamp1>(?!.*<timestamp2>))|(<timestamp2>)

View solution in original post

woodcock · ‎07-01-2017

Are these CDRs?

woodcock · ‎06-30-2017

Like this:

TIME_PREFIX=(<timestamp1>(?!.*<timestamp2>))|(<timestamp2>)

amanno · ‎06-30-2017

Example:

<item1 name='foo'>
    <timestamp1>2017-Jun-30 22:10:50</timestamp1>
    <otherdata> ... </otherdata>
</item1>
<item2 name='bar'>
    <timestamp1>2017-Jun-30 22:24:32</timestamp1>
    <otherdata> ... </otherdata>
    <timestamp2>2017-Jun-6 08:11:46</timestamp2>
</item2>

sbbadri · ‎06-30-2017

can you post some sample events.

Is it possible to set a conditional timestamp from indexed events?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?