Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
1231 views

How to create a timestamp field with only has time value?

Jump to solution

Hi all,

   Need your help, I got a syslog events only having time value. How can I capture current date and join it as endTime.

SBV_SERVER: 17:26:14,764 INFO  User_Management Logout - <hostname@10.10.10.10:SFA:1> User username logged out

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Fleet Admiral
Fleet Admiral

Fun! This should get you started:

__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__currentTimestampInSeconds(),86400),86400),__hourMinuteSecondsToSeconds(time)),36000))) 

Where "time" is the HHm:mm:ss component of your message, note that this statically adjusts for timezone which will be problematic in regions with daylight savings.  There may be a better function for doing this.

__product(__divide(__currentTimestampInSeconds(),86400),86400)

gets the date for today 00:00:00, this is because __divide returns an integer (hopefully floored not rounded...), giving days since epoch, multiplying this back by 86400 turns this back into seconds.  Then we add your time converted to seconds to the result, add 36000 to adjust for tz (I'm +10), multiply by 1000 to get to milliseconds and convert to a timestamp.

View solution in original post

0 Likes
5 Replies
Fleet Admiral
Fleet Admiral

Fun! This should get you started:

__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__currentTimestampInSeconds(),86400),86400),__hourMinuteSecondsToSeconds(time)),36000))) 

Where "time" is the HHm:mm:ss component of your message, note that this statically adjusts for timezone which will be problematic in regions with daylight savings.  There may be a better function for doing this.

__product(__divide(__currentTimestampInSeconds(),86400),86400)

gets the date for today 00:00:00, this is because __divide returns an integer (hopefully floored not rounded...), giving days since epoch, multiplying this back by 86400 turns this back into seconds.  Then we add your time converted to seconds to the result, add 36000 to adjust for tz (I'm +10), multiply by 1000 to get to milliseconds and convert to a timestamp.

View solution in original post

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Richard,

   When __divide(__currentTimestampInSeconds(),86400), the floored result will rounded to the nearest integer, it may potentially added 1 day. So should we subtract 43,200 seconds?

__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__subtract(__currentTimestampInSeconds(),43200),86400),86400),__hourMinuteSecondsToSeconds(time)),36000)))

0 Likes
Fleet Admiral
Fleet Admiral

Yeah, I see it in the doco now that I look, divide is rounding to the nearest integer so it's actually no good here as you will potentially add a day. Even given that, this method is actually still unreliable as late arriving messages at midnight will get timestamped as the next day.  This combined with daylight savings etc it might be better/more reliable to just use the deviceReceiptTime as the endTime and store the time string as a deviceCustomString

Edit: I thought of an interesting workaround using a map file but unless you have a specific use case in mind that absolutely requires that timestamp to be set then I'm not sure it's worth the effort

Edit 2: Maybe a Pre-persistence rule...

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Some serious Flexing is going on.

Since it is sending through syslog, I would try to map AgentReceipttime data to endTime using mapfile. This should give us the current date along with Time. Agent and enddevice should be in same country/timezone for this.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Yes, we can map the event.deviceReceiptTime=__useCurrentYear(_SYSLOG_TIMESTAMP) or use agentReceiptTime for deviceReceipTime, but the actual timestamp in events is different from deviceReceiptTime and agentReceiptTime. Customer required this timestamp value for one of the use cases. So far according to my test it work fine for

__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__subtract(__currentTimestampInSeconds(),43200),86400),86400),__hourMinuteSecondsToSeconds(time)),36000)))

Thank you to Richard Hope and Anware Khan.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.