Solved: Re: Timestamp format yyyyMMddHHmmss - Micro Focus Community

ptsia · ‎2020-02-05

Hello,

I am trying to find a function that parses the following timestamp format

yyyyMMddHHmmss e.g. 20200203000001 for 3rd Feb 2020 00:00:01

So far i have this:

token[1].name=year
token[1].type=String

token[2].name=month
token[2].type=String

token[3].name=day
token[3].type=String

token[4].name=hour
token[4].type=String

token[5].name=minutes
token[5].type=String

token[6].name=seconds
token[6].type=String

event.endTime=__createSafeLocalTimeStamp(__concatenate($1,$2,$3,$4,$5,$6),"yyyy MM dd HH\:mm\:ss")

but does not give the correct result.

any suggestions?

Thank u in advance

Vivian

manojs · ‎2020-02-05

First of all this timestamp "yyyyMMddHHmmss" is incorrect format.

For having a correct timestamp operation, you must have a RFC 5424 compliant timestamp.

Try this:

token[0].name=yy
token[0].type=String

token[1].name=mm
token[1].type=String

token[2].name=dd
token[2].type=String

token[3].name=hh
token[3].type=String

token[4].name=min
token[4].type=String

token[5].name=sec
token[5].type=String

event.deviceReceiptTime=__createSafeLocalTimeStamp(__concatenate(yy,"-",mm,"-",dd," ",hh,"\:",min,"\:",sec),"yyyy-MM-dd HH\:mm\:ss")

Manoj S.

View solution in original post

mrksr · ‎2020-02-05

... you do not need a function to parse the timestamp. Try something like this:

mrksr · ‎2020-02-05

token[0].name=EventTimeStamp
token[0].type=TimeStamp
token[0].format=yyyyMMddHHmmss

event.endTime=EventTimeStamp

ptsia · ‎2020-02-05

hi,

thank you for your response but does not seem to work.

I was expecting something like:

2020/02/05 00:00:01 EET

mrksr · ‎2020-02-05

Maybe I misunderstood your question. If you want to parse a log message and have already identified a token that represents the time stamp (by using digits for year, month, day, hour, minute, second ... in whatever strange format), and you want to 'copy' this time stamp to an ArcSight event field of type TimeStamp you can easily use the .format declaration to get this done:

token[0].format=yyyy/MM/dd HH:mm:ss z

This .format declaration can read "2020/02/05 00:00:01 EET"

However, if you have 6 separate tokens that represent year, month, day, hour, minute, second and want to concat them and 'copy' to event field TimeStamp (like in your first comment), this should work:

event.endTime=__createSafeLocalTimeStamp(__concatenate($1,$2,$3,$4,$5,$6,),yyyyMMddHHmmss)

The "FlexConnector Developer's Guide" gives lots of examples how to parse time stamps. Have a look at it!

ptsia · ‎2020-02-05

I get a value of 1580680801000 while i should get a date of 1580688001...

i cannot figure out what is wrong

mrksr · ‎2020-02-05

All right, that really looks like an 'epoch time stamp'. It is the number of milliseconds since January 1st 1970.

Use the ArcSight Operation __longToTimeStamp to convert this long intetger to a time stamp.

Example:

token[0].name=EventTimeStamp
token[0].type=Long

event.endTime=__longToTimeStamp(EventTimeStamp)

This should convert the number of milliseconds to ArcSight TimeStamp

manojs · ‎2020-02-05

Manoj S.

manojs · ‎2020-02-05

First of all this timestamp "yyyyMMddHHmmss" is incorrect format.

For having a correct timestamp operation, you must have a RFC 5424 compliant timestamp.

Try this:

token[0].name=yy
token[0].type=String

token[1].name=mm
token[1].type=String

token[2].name=dd
token[2].type=String

token[3].name=hh
token[3].type=String

token[4].name=min
token[4].type=String

token[5].name=sec
token[5].type=String

event.deviceReceiptTime=__createSafeLocalTimeStamp(__concatenate(yy,"-",mm,"-",dd," ",hh,"\:",min,"\:",sec),"yyyy-MM-dd HH\:mm\:ss")

Manoj S.

View solution in original post

ptsia · ‎2020-02-06

Thank u manojs!

That was it!