Splunk 中的纪元时间转换为时间

Question

我正在上传一个 XML，其中一个字段是 dailyTime。这个 dailyTime 是一个纪元时间，我想将其转换为人类可读的时间。

<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0">
    <criteria bop="AND">
      <left>
        <expr>
          <interval serialization="custom">
            <com.q1labs.ariel.Interval>
              <short>5000</short>
              <boolean>true</boolean>
              <short>5000</short>
              <boolean>true</boolean>
            </com.q1labs.ariel.Interval>
          </interval>
        </expr>
        <key class

我的 props.conf 是

[XMLPARSING]
KV_MODE = xml
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d")
MAX_EVENTS = 600 
EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+)
TIME_FORMAT=%s%3N
TIME_PREFIX=dailyTime=
Lookahead=13
TRUNCATE = 1000
category = Custom
disabled = false
pulldown_type = true

Answer 1

通常，您会在搜索中从时间戳（即纪元时间）转换为人类可读的内容

像这样：

index=ndx sourcetype=srctp earliest=-4h
| stats max(_time) as rtime min(_time) as etime by fieldA
| sort 0 - rtime + fieldA
| eval rtime=strftime(rtime,"%c"), etime=strftime(etime,"%c")
| rename rtime as "Most Recent" etime as "Earliest"

Splunk strftime 文档：https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29

strptime 和 strftime 的更多格式信息：https://strftime.org