0

我正在上传一个 XML,其中一个字段是dailyTime。这个 dailyTime 是一个纪元时间,我想将其转换为人类可读的时间。

<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0">
    <criteria bop="AND">
      <left>
        <expr>
          <interval serialization="custom">
            <com.q1labs.ariel.Interval>
              <short>5000</short>
              <boolean>true</boolean>
              <short>5000</short>
              <boolean>true</boolean>
            </com.q1labs.ariel.Interval>
          </interval>
        </expr>
        <key class

我的 props.conf 是

[XMLPARSING]
KV_MODE = xml
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d")
MAX_EVENTS = 600 
EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+)
TIME_FORMAT=%s%3N
TIME_PREFIX=dailyTime=
Lookahead=13
TRUNCATE = 1000
category = Custom
disabled = false
pulldown_type = true
4

1 回答 1

0

通常,您会在搜索中将时间戳(即纪元时间)转换为人类可读的内容

像这样:

index=ndx sourcetype=srctp earliest=-4h
| stats max(_time) as rtime min(_time) as etime by fieldA
| sort 0 - rtime + fieldA
| eval rtime=strftime(rtime,"%c"), etime=strftime(etime,"%c")
| rename rtime as "Most Recent" etime as "Earliest"

Splunkstrftime文档:https ://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29

strptime和的更多格式信息strftimehttps ://strftime.org

于 2020-10-09T14:49:06.167 回答