Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is this? how can I convert it?

j666gak
Communicator
‎08-25-2012 01:16 PM

I have exported an SQLite database in to an XML file (Using Navicat) and then indexed it in to Splunk. However Time and Date information seem to be in a strange format, any ideas what it is? or how I can get it to display properly?


Creation_Time 1303723121371 /Creation_Time


Test_Date 1301011200000 /Test_Date


Thanks


Guy

0 Karma
Reply

j666gak
Communicator
‎08-26-2012 05:35 PM

I have tried with the following in the props.conf but still getting the same issue

[bayer_glucofacts]


BREAK_ONLY_BEFORE = ([\r\n]+)


LINE_BREAKER = ([\r\n]+)


NO_BINARY_CHECK = 1


SHOULD_LINEMERGE = false


TIME_PREFIX =


TIME_FORMAT = %s%3N


pulldown_type = 1

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2012 04:54 PM

It's not %s. As I said, it's %s%3N, and you also should include a TIME_PREFIX to locate the time, since there are many other timestamps visible earlier in the event.

0 Karma
Reply

j666gak
Communicator
‎08-26-2012 04:51 PM

Hello,


Thanks for your replies. I have added TIME_FORMAT=%s in to props.conf, however on "data preview" for the sourcetype defined in props.conf and inputs.conf it is still incorrect.


I would really appreciate any help!


Fields Incorrect


Creation_Time


Test_Date


Last_Modification_Time



Data Preview

<RECORD>

A/Z1

13037230058437390-2116752Wed Mar 23 00:00:00 GMT 201118:47:00plasma135.0
-1

1
7390-2116752

0
0
0
Result
18:47:00


Glucose
1
plasma
1303723005843

Admin
1303723121358
1300838400000
7.5
1303723121358


mmol/L

1
Post-meal

2141549235


Thanks

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2012 04:17 PM

It is epoch millisecond time. You can specify the format in Splunk with

TIME_FORMAT = %s%3N
Reply

jgedeon120
Contributor
‎08-25-2012 02:04 PM

It's epoch or Unix time.
http://splunk-base.splunk.com/answers/8428/how-do-i-recognize-a-time-in-epoch-seconds

Reply

jgedeon120
Contributor
‎08-25-2012 04:53 PM

Yes I you are correct.

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎08-25-2012 03:39 PM

To be accurate, these seem to be epoch times with millisecond precision, which is why you see 13 digits instead of the usual 10 that are necessary to represent seconds since the epoch.

1303723121371 = 1303723121.371 seconds since the epoch = Mon, 25 Apr 2011 09:18:41.371 GMT

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...