- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract two different values and set it to _ti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is how my xml events look like:
<AttackCoords>-80.33100097073213,25.10742916222947</AttackCoords>
<Outcome>Interdiction</Outcome>
<Infiltrators>23</Infiltrators>
<Enforcer>Ironwood</Enforcer>
<ActionDate>2013-04-24</ActionDate>
<ActionTime>00:07:00</ActionTime>
<RecordNotes></RecordNotes>
<NumEscaped>0</NumEscaped> <LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords>
<AttackVessel>Rustic</AttackVessel>
I didn't find a good explanation on how to do this. my painpoint is that I don't know how to glue the values from ActionDate and ActionTime together so I can generate a _time field out of it.
so, what I have :
<ActionDate>2013-04-24</ActionDate>
<ActionTime>00:07:00</ActionTime>
what I want:
_time = 2013-04-24 00:07:00
I hope anyone can help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @avoelk ,
Are ActionDate and ActionTime already extracted fields that you can work with?
If so, try this:
| makeresults
| eval ActionDate="2013-04-24"
| eval ActionTime="00:07:00"
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
You will just need the last line.
It puts the Date and Time in one string and converts it to an epoch timestamp (this is what _time needs).
Edit:
Removed a step that was not needed from my first approach.
If the fields are not yet extracted, you can just pipe the xml to xmlkv and then use the last line of my SPL:
<your search to get the xml event(s)>
| xmlkv
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
Hope it helps.
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @avoelk ,
Are ActionDate and ActionTime already extracted fields that you can work with?
If so, try this:
| makeresults
| eval ActionDate="2013-04-24"
| eval ActionTime="00:07:00"
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
You will just need the last line.
It puts the Date and Time in one string and converts it to an epoch timestamp (this is what _time needs).
Edit:
Removed a step that was not needed from my first approach.
If the fields are not yet extracted, you can just pipe the xml to xmlkv and then use the last line of my SPL:
<your search to get the xml event(s)>
| xmlkv
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
Hope it helps.
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so this part worked perfectly :
| eval _time= strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
it exactly did what I was looking for. while in props.conf I can use the
EVAL-_time = strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
afterwards i've got my new _time values at search time.
thanks a lot!
For anyone who wants to know the whole config:
props.conf:
REPORT-extractions = extractions
EVAL-_time = strptime(ActionDate +" " + ActionTime,"%Y-%m-%d %H:%M:%S")
transforms.conf:
[extractions]
REGEX = \<ActionDate\>(?P<ActionDate>\d+-\d+-\d+)\<\/ActionDate\>\s*\<ActionTime\>(?P<ActionTime>\d+:\d+:\d+)
FORMAT = $1::$2
Edit: one minor question that is left. Is there a way to tell splunk - given this new _time field we created - that it should use AM PM at the end?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
