Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best way to add start time from external time to time field in searches

seam0n
Explorer
‎04-10-2015 04:47 AM

I've got the start time for my events in a external xml-file.
Is there a easy way to access this information in a search?
I want to add this start time to my time field in searches.
My events are individual elements from xml-files, which were
parsed as defined in my props.conf

File containing start time
<?xml version="1.0" ?>
<table name="Result">
<row id="0">
<TimeZone>-3600</TimeZone>
<StartTime>1414656604</StartTime>
<ResultEndTime>1414670180</ResultEndTime>
</row>
</table>

My props.conf
[<stanza>]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = (\<\?.+?\?\>)|(\<table name\=\".+?\"\>)|(\<\/table\>)|(\<row.*?\>)|(\<\/row\>)
KV_MODE = xml
sourcetype = xml
TRUNCATE = 0

0 Karma
Reply

seam0n
Explorer
‎04-28-2015 01:20 AM

This was not solved by configuring settings in Splunk, instead I had to reformat the xml files.

0 Karma
Reply

lguinn2
Legend
‎04-11-2015 12:01 PM

Why are you using the current datetime to index the events instead of the start time in the file?

But to answer your question, you should be able to access the StartTime quite easily in your search. There should be a field named StartTime. You could do StartTime > 1414656604 for example.

What exactly do you want to do with the start time?

0 Karma
Reply

seam0n
Explorer
‎04-13-2015 04:32 AM

Thank you Inguinn, you are right, I should extract datetime in props. I really don't know how to though, I understand that I should define a timestamp extractor, but how do I extract from an other file other than the one being parsed? Is this even possible?

I don't want to do anything with start time, I just want to be able to show absolute and relative time on my events in Splunk. I got EndTime in my events so this is the time im using in all my graphs right now, EndTime is the relative time.

0 Karma
Reply

lguinn2
Legend
‎04-13-2015 07:13 AM

You don't need to define a timestamp extractor. I would update your props.conf as follows

[<stanza>]
LINE_BREAKER = (\<\?.+?\?\>)|(\<table name\=\".+?\"\>)|(\<\/table\>)|(\<row.*?\>)|(\<\/row\>)
KV_MODE = xml
sourcetype = xml
TRUNCATE = 0
TIME_PREFIX = \<StartTime>
MAX_TIMESTAMP_LOOKAHEAD = 15
0 Karma
Reply

seam0n
Explorer
‎04-14-2015 12:28 AM

I think you have misunderstood what im looking for, the start time attribute only exists in one of the xml files. I have a xml database where only one "table" contains the time.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
li.common.scroll-to.top