Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML epoch time to time

chevalier51
Loves-to-Learn Lots
‎10-07-2020 11:04 AM

I want to extract dailyTime from XML and convert it into time

 

 

<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0">
        <criteria bop="AND">
          <left>
            <expr>
              <interval serialization="custom">
                <com.q1labs.ariel.Interval>
                  <short>5000</short>
                  <boolean>true</boolean>
                  <short>5000</short>
                  <boolean>true</boolean>
                </com.q1labs.ariel.Interval>
              </interval>
            </expr>
            <key class

 

 

Here is my props.conf

 

 

[XMLPARSING]
KV_MODE = xml
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d")
MAX_EVENTS = 600 
EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+)
TIME_FORMAT=%s%3N
TIME_PREFIX=dailyTime=
Lookahead=13
TRUNCATE = 1000
category = Custom
disabled = false
pulldown_type = true

 

 

but splunk is not converting it

Labels (3)
Tags (1)
0 Karma
Reply

ashajambagi
Communicator
‎10-08-2020 11:49 AM

Hey

try this
TIME_PREFIX=dailyTime\D+

 

0 Karma
Reply

chevalier51
Loves-to-Learn Lots
‎10-08-2020 12:19 PM

@ashajambagiNo not working

0 Karma
Reply

ashajambagi
Communicator
‎10-08-2020 09:15 PM

@chevalier51 Epoch converter shows the date to be 2010,try increasing the MAX_DAYS_AGO

 

TIME_FORMAT=%s%3N
TIME_PREFIX=dailyTime\D+
MAX_TIMESTAMP_LOOKAHEAD=13
MAX_DAYS_AGO=5000

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2020 11:13 AM

Try

TIME_PREFIX=dailyTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

chevalier51
Loves-to-Learn Lots
‎10-08-2020 11:06 AM

@richgalloway No not working

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 12:31 PM
Did you restart the indexer/HF after changing props.conf? Are you checking new data? Changes to props.conf don't apply to data that's already indexed.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

chevalier51
Loves-to-Learn Lots
‎10-08-2020 01:02 PM

@richgallowayYes off course

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...