topic Re: Extract Epoch Time as readable time format using props.conf in Security

Extract Epoch Time as readable time format using props.conf

SplunkDash — Sat, 17 Aug 2024 23:44:49 GMT

Hello,

I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:

[myprops] SHUOLD_LINEMERGE=false LINE_BREAK=([\r\n]+) TIME_PREFIX="timestamp": TIME_FORMAT=%s%3N

Sample Events:

{"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"}

{"id":"A307", "timestamp":1723933915610","message":"average time to hold process"}

{"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"}

Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N

Re: Extract Epoch Time as readable time format using props.conf

richgalloway — Sun, 18 Aug 2024 00:06:18 GMT

Your existing props.conf settings are good for telling Splunk how to extract _time from the events. Don't try to put _time into human-readable format. That's done automatically at search time. Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) TIME_PREFIX = "timestamp": TIME_FORMAT = %s%3N EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security