Splunk Search

What is this? how can I convert it?

j666gak
Communicator

I have exported an SQLite database in to an XML file (Using Navicat) and then indexed it in to Splunk. However Time and Date information seem to be in a strange format, any ideas what it is? or how I can get it to display properly?


Creation_Time 1303723121371 /Creation_Time


Test_Date 1301011200000 /Test_Date


Thanks


Guy

0 Karma

j666gak
Communicator

I have tried with the following in the props.conf but still getting the same issue

[bayer_glucofacts]


BREAK_ONLY_BEFORE = ([\r\n]+)


LINE_BREAKER = ([\r\n]+)


NO_BINARY_CHECK = 1


SHOULD_LINEMERGE = false


TIME_PREFIX =


TIME_FORMAT = %s%3N


pulldown_type = 1

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It's not %s. As I said, it's %s%3N, and you also should include a TIME_PREFIX to locate the time, since there are many other timestamps visible earlier in the event.

0 Karma

j666gak
Communicator

Hello,


Thanks for your replies. I have added TIME_FORMAT=%s in to props.conf, however on "data preview" for the sourcetype defined in props.conf and inputs.conf it is still incorrect.


I would really appreciate any help!


Fields Incorrect


Creation_Time


Test_Date


Last_Modification_Time



Data Preview

<RECORD>

A/Z1

13037230058437390-2116752Wed Mar 23 00:00:00 GMT 201118:47:00plasma135.0
-1

1
7390-2116752

0
0
0
Result
18:47:00


Glucose
1
plasma
1303723005843

Admin
1303723121358
1300838400000
7.5
1303723121358


mmol/L

1
Post-meal

2141549235


Thanks

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It is epoch millisecond time. You can specify the format in Splunk with

TIME_FORMAT = %s%3N

jgedeon120
Contributor

jgedeon120
Contributor

Yes I you are correct.

0 Karma

hexx
Splunk Employee
Splunk Employee

To be accurate, these seem to be epoch times with millisecond precision, which is why you see 13 digits instead of the usual 10 that are necessary to represent seconds since the epoch.

1303723121371 = 1303723121.371 seconds since the epoch = Mon, 25 Apr 2011 09:18:41.371 GMT

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...