Splunk Search

Extract two different values and set it to _time in props/transforms

avoelk
Communicator

this is how my xml events look like:

 

<AttackCoords>-80.33100097073213,25.10742916222947</AttackCoords>
		<Outcome>Interdiction</Outcome>
		<Infiltrators>23</Infiltrators>
		<Enforcer>Ironwood</Enforcer>
		<ActionDate>2013-04-24</ActionDate>
		<ActionTime>00:07:00</ActionTime>
		<RecordNotes></RecordNotes>
		<NumEscaped>0</NumEscaped>		<LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords>
		<AttackVessel>Rustic</AttackVessel>

 

I didn't find a good explanation on how to do this. my painpoint is that I don't know how to glue the values from ActionDate and ActionTime together so I can generate a _time field out of it. 

so, what I have : 

 

<ActionDate>2013-04-24</ActionDate>
<ActionTime>00:07:00</ActionTime>

 

what I want:

 

_time = 2013-04-24 00:07:00

 

I hope anyone can help

Labels (2)
0 Karma
1 Solution

rnowitzki
Builder

Hi @avoelk ,

Are ActionDate and ActionTime already extracted fields that you can work with?

If so, try this:

 

|  makeresults 
|  eval ActionDate="2013-04-24"
|  eval ActionTime="00:07:00"
|  eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")

 

You will just need the last  line. 
It puts the Date and Time in one string and converts it to an epoch timestamp (this is what _time needs).

Edit:
Removed a step that was not needed from my first approach.

If the fields are not yet extracted, you can just pipe the xml to xmlkv and then use the last line of my SPL:

<your search to get the xml event(s)>
| xmlkv
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")



Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki
Builder

Hi @avoelk ,

Are ActionDate and ActionTime already extracted fields that you can work with?

If so, try this:

 

|  makeresults 
|  eval ActionDate="2013-04-24"
|  eval ActionTime="00:07:00"
|  eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")

 

You will just need the last  line. 
It puts the Date and Time in one string and converts it to an epoch timestamp (this is what _time needs).

Edit:
Removed a step that was not needed from my first approach.

If the fields are not yet extracted, you can just pipe the xml to xmlkv and then use the last line of my SPL:

<your search to get the xml event(s)>
| xmlkv
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")



Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.

avoelk
Communicator

so this part worked perfectly : 

 

|  eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")

 

it exactly did what I was looking for. while in props.conf I can use the 

 

EVAL-_time = strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")

 

 afterwards i've got my new _time values at search time. 

 

thanks a lot!

For anyone who wants to know the whole config:

props.conf:

 

REPORT-extractions = extractions
EVAL-_time =  strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")

 

 transforms.conf:

 

[extractions]
REGEX = \<ActionDate\>(?P<ActionDate>\d+-\d+-\d+)\<\/ActionDate\>\s*\<ActionTime\>(?P<ActionTime>\d+:\d+:\d+)
FORMAT = $1::$2

 

 

Edit: one minor question that is left. Is there a way to tell splunk - given this new _time field we created - that it should use AM PM at the end? 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...