I tried like this:
https://answers.splunk.com/answers/4880/hex-encoded-unix-timestamp.html
and like this:
https://answers.splunk.com/answers/30852/hex-time-stamp-extraction-issues-with-datetime-config.html
But it did not work out.
Below my configurations:
props.conf
[test_write_hextime_to_timestamp]
DATETIME_CONFIG = /etc/my_hex_epoch_datetime.xml
MAX_TIMESTAMP_LOOKAHEAD = 8
TIME_PREFIX = time="
BREAK_ONLY_BEFORE = <telegram
MUST_BREAK_AFTER = </telegram>
REPORT-test-hex-convert = REPORT-test-hex-convert
EVAL-date_time_test = strftime(tonumber(time, 16), "%m:%d:%Y %H:%M:%S")
my_hex_epoch_datetime.xml
<define name="_hexepoch" extract="hexepoch">
<text><![CDATA[time="0x([\da-fA-F]{8})]]></text>
</define>
<timePatterns>
<use name="_hexepoch"/>
</timePatterns>
<datePatterns>
</datePatterns>
... View more