Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is this? how can I convert it?

j666gak
Communicator
‎08-25-2012 01:16 PM

I have exported an SQLite database in to an XML file (Using Navicat) and then indexed it in to Splunk. However Time and Date information seem to be in a strange format, any ideas what it is? or how I can get it to display properly?


Creation_Time 1303723121371 /Creation_Time


Test_Date 1301011200000 /Test_Date


Thanks


Guy

0 Karma
Reply

j666gak
Communicator
‎08-26-2012 05:35 PM

I have tried with the following in the props.conf but still getting the same issue

[bayer_glucofacts]


BREAK_ONLY_BEFORE = ([\r\n]+)


LINE_BREAKER = ([\r\n]+)


NO_BINARY_CHECK = 1


SHOULD_LINEMERGE = false


TIME_PREFIX =


TIME_FORMAT = %s%3N


pulldown_type = 1

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2012 04:54 PM

It's not %s. As I said, it's %s%3N, and you also should include a TIME_PREFIX to locate the time, since there are many other timestamps visible earlier in the event.

0 Karma
Reply

j666gak
Communicator
‎08-26-2012 04:51 PM

Hello,


Thanks for your replies. I have added TIME_FORMAT=%s in to props.conf, however on "data preview" for the sourcetype defined in props.conf and inputs.conf it is still incorrect.


I would really appreciate any help!


Fields Incorrect


Creation_Time


Test_Date


Last_Modification_Time



Data Preview

<RECORD>

A/Z1

13037230058437390-2116752Wed Mar 23 00:00:00 GMT 201118:47:00plasma135.0
-1

1
7390-2116752

0
0
0
Result
18:47:00


Glucose
1
plasma
1303723005843

Admin
1303723121358
1300838400000
7.5
1303723121358


mmol/L

1
Post-meal

2141549235


Thanks

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2012 04:17 PM

It is epoch millisecond time. You can specify the format in Splunk with

TIME_FORMAT = %s%3N
Reply

jgedeon120
Contributor
‎08-25-2012 02:04 PM

It's epoch or Unix time.
http://splunk-base.splunk.com/answers/8428/how-do-i-recognize-a-time-in-epoch-seconds

Reply

jgedeon120
Contributor
‎08-25-2012 04:53 PM

Yes I you are correct.

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-25-2012 03:39 PM

To be accurate, these seem to be epoch times with millisecond precision, which is why you see 13 digits instead of the usual 10 that are necessary to represent seconds since the epoch.

1303723121371 = 1303723121.371 seconds since the epoch = Mon, 25 Apr 2011 09:18:41.371 GMT

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...