- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Hi all,

Need your help, I got a syslog events only having time value. How can I capture current date and join it as endTime.

SBV_SERVER: **17:26:14,764** INFO User_Management Logout - <hostname@10.10.10.10:SFA:1> User username logged out

Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Fun! This should get you started:

`__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__currentTimestampInSeconds(),86400),86400),__hourMinuteSecondsToSeconds(time)),36000))) `

Where "time" is the HHm:mm:ss component of your message, note that this statically adjusts for timezone which will be problematic in regions with daylight savings. There may be a better function for doing this.

`__product(__divide(__currentTimestampInSeconds(),86400),86400)`

gets the date for today 00:00:00, this is because __divide returns an integer (hopefully floored not rounded...), giving days since epoch, multiplying this back by 86400 turns this back into seconds. Then we add your time converted to seconds to the result, add 36000 to adjust for tz (I'm +10), multiply by 1000 to get to milliseconds and convert to a timestamp.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Fun! This should get you started:

`__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__currentTimestampInSeconds(),86400),86400),__hourMinuteSecondsToSeconds(time)),36000))) `

Where "time" is the HHm:mm:ss component of your message, note that this statically adjusts for timezone which will be problematic in regions with daylight savings. There may be a better function for doing this.

`__product(__divide(__currentTimestampInSeconds(),86400),86400)`

gets the date for today 00:00:00, this is because __divide returns an integer (hopefully floored not rounded...), giving days since epoch, multiplying this back by 86400 turns this back into seconds. Then we add your time converted to seconds to the result, add 36000 to adjust for tz (I'm +10), multiply by 1000 to get to milliseconds and convert to a timestamp.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Hi Richard,

When __divide(__currentTimestampInSeconds(),86400), the floored result will rounded to the nearest integer, it may potentially added 1 day. So should we subtract 43,200 seconds?

`__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__subtract(__currentTimestampInSeconds(),43200),86400),86400),__hourMinuteSecondsToSeconds(time)),36000))) `

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Yeah, I see it in the doco now that I look, divide is rounding to the nearest integer so it's actually no good here as you will potentially add a day. Even given that, this method is actually still unreliable as late arriving messages at midnight will get timestamped as the next day. This combined with daylight savings etc it might be better/more reliable to just use the deviceReceiptTime as the endTime and store the time string as a deviceCustomString

Edit: I thought of an interesting workaround using a map file but unless you have a specific use case in mind that absolutely requires that timestamp to be set then I'm not sure it's worth the effort

Edit 2: Maybe a Pre-persistence rule...

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Some serious Flexing is going on.

Since it is sending through syslog, I would try to map AgentReceipttime data to endTime using mapfile. This should give us the current date along with Time. Agent and enddevice should be in same country/timezone for this.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Yes, we can map the event.deviceReceiptTime=__useCurrentYear(_SYSLOG_TIMESTAMP) or use agentReceiptTime for deviceReceipTime, but the actual timestamp in events is different from deviceReceiptTime and agentReceiptTime. Customer required this timestamp value for one of the use cases. So far according to my test it work fine for

__createLocalTimeStampFromSecondsSinceEpoch(__integerToLong(__subtract(__sum(__product(__divide(__subtract(__currentTimestampInSeconds(),43200),86400),86400),__hourMinuteSecondsToSeconds(time)),36000)))

Thank you to Richard Hope and Anware Khan.