Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timestamp from XML multivalue

jbanhome
New Member
‎05-07-2017 10:45 AM

Hello,

I am new to Splunk and I have task where I need to configure timestamp from XML file. 

<root>
    <day>11</day>
    <month>11</month>   
    <year>17</year>
    <time>123055<time>
    … 
</root>

Do you have any hint how to configure this.

If I understand this correctly I must use transforms.conf to parse day, month, year and time into timestamp because with timestamp I cannot take date from multi-value?
And then after trasform I can use something like %d%m%y %H%M%S

You dont need to write regex or anything, please just point me into right direction so I can try to figure it out.

Thank you,

Tags (3)
0 Karma
Reply

dineshraj9
Builder
‎05-07-2017 10:18 PM

Try something like this in props.conf -

TIME_PREFIX = day\>
TIME_FORMAT = %d\<\/day\>[\r\n\s]+\<month\>%m\<\/month\>[\r\n\s]+\<year\>%y\<\/year\>[\r\n\s]+\<time\>%H%M%S\<time\>
MAX_TIMESTAMP_LOOKAHEAD = 100

If you want to do it at search time, then extract all time fields and then set the _time(with epoch time) field and it will reflect across all events.

0 Karma
Reply

cstump_splunk
Splunk Employee
Splunk Employee
‎05-25-2018 08:48 AM

Quick Update for Splunk 7.1.0.

To get the Time_Format to extract a time stamp in 7.1.0 you can use @dineshraj9 answer if you lose the escape characters ().

A colleague and I were trying to extract a timestamp across multiple xml tags:
<fiveminute id="28"><date><year>2018</year><month>05</month><day>22</day></date><time><hour>17</hour><minute>05</minute></time><rx>578489</rx><tx>1800555</tx></fiveminute>

We were able to get the timestamp extracted in 7.1.0 with the following configurations:
[sourcetype]
TIME_PREFIX = year\>
TIME_FORMAT = %Y%m%d%H%M

Notice that the escape character was used in the TIME_PREFIX, that value is still regex, but the TIME_FORMAT is not regex and therefore does not make use of the escape character.

Reply

jbanhome
New Member
‎05-09-2017 02:02 AM

Unfortunatelly still no luck.

props.conf is something like this
[test2xml]
DATETIME_CONFIG =
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = true
TIME_FORMAT = %d<\/day>[\r\n\s]+\%m<\/month>[\r\n\s]+\%y<\/year>[\r\n\s]+\%H%M%S\
TIME_PREFIX = day>
category = Custom
pulldown_type = true

0 Karma
Reply

dineshraj9
Builder
‎05-09-2017 02:15 AM

Here the TIME_FORMAT is missing start of the month tag and start of the year tag.
It should be - TIME_FORMAT = %d\<\/day\>[\r\n\s]+\<month\>%m\<\/month\>[\r\n\s]+\<year\>%y\<\/year\>[\r\n\s]+\<time\>%H%M%S

Also, is Splunk breaking the events properly? A single event should be .... and Splunk not be treating each line as an event.
LINE_BREAKER = ([\n\r]+)(?=\s*\<root\>)

0 Karma
Reply

jbanhome
New Member
‎05-09-2017 02:33 AM

still nothing. How can I see error log or something so I can see what I need to search. When I change props.conf is that real time change in Search?
I also tried to add - KV_MODE=xml and that will give me root.day, root.month but I simply not getting timestamp from xml.
do I need to TIME_FORMAT <\/day> or I just need to format value\n value\n value ...
How can I see what's I am doing wrong?

0 Karma
Reply

jbanhome
New Member
‎05-09-2017 02:34 AM

this is real example \nwhitespacevalue...

<LOG>
 <DAY>09</DAY>
 <MONTH>05</MONTH>
 <YEAR>17</YEAR>
 <TIME>102632</TIME>
 <CC>0488444333809518</CC>
 <AMOUNT>64957.01</AMOUNT>
</LOG>
0 Karma
Reply

dineshraj9
Builder
‎05-09-2017 03:52 AM

Could you try changing the fields to captial and try -

TIME_FORMAT = %d\<\/DAY\>[\r\n\s]+\<MONTH\>%m\<\/MONTH\>[\r\n\s]+\<YEAR\>%y\<\/YEAR\>[\r\n\s]+\<TIME\>%H%M%S

0 Karma
Reply

jbanhome
New Member
‎05-09-2017 04:04 AM

sure but timestamp values still none.

0 Karma
Reply

jbanhome
New Member
‎05-10-2017 12:52 PM

I think I'll just give up with this hint as from 1000 examples none of it's works for me. Always in WebUI \r\n\s. Above examples does not works also.

props
LINE_BREAKER = ([\n\r]+)(?=\s*)
MAX_TIMESTAMP_LOOKAHEAD = 65
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_FORMAT = %d<\/DAY>[\r\n\s]+\%m<\/MONTH>[\r\n\s]+\%y<\/YEAR>[\r\n\s]+\%H%M%S
TIME_PREFIX = DAY>

0 Karma
Reply

jbanhome
New Member
‎05-08-2017 12:51 PM

unfortunately no luck. : (
still \n and spaces give me problems. 😄

0 Karma
Reply

jbanhome
New Member
‎05-08-2017 01:22 PM

When I do it in WebUI and go with mouse over orange icon it's like
cannot parse time 11\n 11\n 17 ....
so now my question is, do I need to put <\/day>.... in TIME_FORMAT props? or I only need to escape \n4xWhitespace

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-08-2017 04:01 PM

I changed his response just a little bit. Can you try it again?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-07-2017 04:14 PM

Do you want to extract the timestamp at search time or index time?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...