Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best way to add start time from external time to time field in searches

seam0n
Explorer
‎04-10-2015 04:47 AM

I've got the start time for my events in a external xml-file.
Is there a easy way to access this information in a search?
I want to add this start time to my time field in searches.
My events are individual elements from xml-files, which were
parsed as defined in my props.conf

File containing start time
<?xml version="1.0" ?>
<table name="Result">
<row id="0">
<TimeZone>-3600</TimeZone>
<StartTime>1414656604</StartTime>
<ResultEndTime>1414670180</ResultEndTime>
</row>
</table>

My props.conf
[<stanza>]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = (\<\?.+?\?\>)|(\<table name\=\".+?\"\>)|(\<\/table\>)|(\<row.*?\>)|(\<\/row\>)
KV_MODE = xml
sourcetype = xml
TRUNCATE = 0

0 Karma
Reply

seam0n
Explorer
‎04-28-2015 01:20 AM

This was not solved by configuring settings in Splunk, instead I had to reformat the xml files.

0 Karma
Reply

lguinn2
Legend
‎04-11-2015 12:01 PM

Why are you using the current datetime to index the events instead of the start time in the file?

But to answer your question, you should be able to access the StartTime quite easily in your search. There should be a field named StartTime. You could do StartTime > 1414656604 for example.

What exactly do you want to do with the start time?

0 Karma
Reply

seam0n
Explorer
‎04-13-2015 04:32 AM

Thank you Inguinn, you are right, I should extract datetime in props. I really don't know how to though, I understand that I should define a timestamp extractor, but how do I extract from an other file other than the one being parsed? Is this even possible?

I don't want to do anything with start time, I just want to be able to show absolute and relative time on my events in Splunk. I got EndTime in my events so this is the time im using in all my graphs right now, EndTime is the relative time.

0 Karma
Reply

lguinn2
Legend
‎04-13-2015 07:13 AM

You don't need to define a timestamp extractor. I would update your props.conf as follows

[<stanza>]
LINE_BREAKER = (\<\?.+?\?\>)|(\<table name\=\".+?\"\>)|(\<\/table\>)|(\<row.*?\>)|(\<\/row\>)
KV_MODE = xml
sourcetype = xml
TRUNCATE = 0
TIME_PREFIX = \<StartTime>
MAX_TIMESTAMP_LOOKAHEAD = 15
0 Karma
Reply

seam0n
Explorer
‎04-14-2015 12:28 AM

I think you have misunderstood what im looking for, the start time attribute only exists in one of the xml files. I have a xml database where only one "table" contains the time.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...