topic Re: Event gen: timestamp for epoch time in Getting Data In

Event gen: timestamp for epoch time?

Nith — Thu, 30 Mar 2023 14:40:55 GMT

I would like to ask a doubt:

for the following time format, we can use the following timestamp, just for an example

time format:2020-11-09 11:20:35

timestamp:%Y-%m-%d %H:%M:%S

here is my doubt

for the following 13 digit epoch time format which timestamp can we use?

time format:1589479343000

timestamp:?

working on the Eventgen app to generate the 13 digit epoch time.

Thanks in Advance

Re: Event gen: timestamp for epoch time

renjith_nair — Wed, 11 Nov 2020 04:05:04 GMT

In general epoch time can be converted using strftime and any time format

e.g

formatted=strftime(1589479343000,"%Y-%m-%d %H:%M:%S")

Does that work ?

Re: Event gen: timestamp for epoch time

Nith — Wed, 11 Nov 2020 08:09:50 GMT

Hi @renjith_nair ,

thank you for your reply,

Actually, I'm not trying to convert the epoch time. I need it as in the epoch time format.

I'd like to generate epoch time in the same format(1589479343000) so I just need the timestamp for that specified epoch time(if it is possible).

I'd like to generate multiple events in the Eventgen app, so I need the timestamp to generate epoch time.

not the conversion of any time format.

I have a data like this :"$date": 1589530298000

to generate more data in Eventgen App I used the token like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = ?

what should I add in the token.2.replacement= to get the epochtime.

Thank you

Re: Event gen: timestamp for epoch time

renjith_nair — Wed, 11 Nov 2020 15:03:49 GMT

Sorry, not sure if I have got it correctly.

So you have an epoch as part of your data which is in the format "$date": 1589530298000

Do you want to replace it with or convert? If you do not want to replace , just dont add anything to the replacement.

token.<n>.replacement = <string> | <strptime> | ["list","of","strptime"] | guid | ipv4 | ipv6 | mac | integer[<start>:<end>] | float[<start>:<end>] | string(<i>) | hex(<i>) | list["list", "of", "values"] | <replacement file name> | <replacement file name>:<column number> | <integer> * 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks. * For <string>, the token will be replaced with the value specified. * For <strptime>, a strptime formatted string to replace the timestamp with * For ["list","of","strptime"], only used with replaytimestamp, a JSON formatted list of strptime formats to try. Will find the replace with the same format which matches the replayed timestamp. * For guid, the token will be replaced with a random GUID value. * For ipv4, the token will be replaced with a random valid IPv4 Address (i.e. 10.10.200.1). * For ipv6, the token will be replaced with a random valid IPv6 Address (i.e. c436:4a57:5dea:1035:7194:eebb:a210:6361). * For mac, the token will be replaced with a random valid MAC Address (i.e. 6e:0c:51:c6:c6:3a). * For integer[<start>:<end>], the token will be replaced with a random integer between start and end values where <start> is a number greater than 0 and <end> is a number greater than 0 and greater than or equal to <start>. If rated, will be multiplied times hourOfDayRate and dayOfWeekRate. * For float[<start>:<end>], the token will be replaced with a random float between start and end values where <end> is a number greater than or equal to <start>. For floating point numbers, precision will be based off the precision specified in <start>. For example, if we specify 1.0, precision will be one digit, if we specify 1.0000, precision will be four digits. If rated, will be multiplied times hourOfDayRate and dayOfWeekRate. * For string(<i>), the token will be replaced with i number(s) of ASCII characters where 'i' is a number greater than 0. * For hex(<i>), the token will be replaced with i number of Hexadecimal characters [0-9A-F] where 'i' is a number greater than 0. * For list, the token will be replaced with a random member of the JSON list provided. * For <replacement file name>, the token will be replaced with a random line in the replacement file. * Replacement file name should be a fully qualified path (i.e. $SPLUNK_HOME/etc/apps/windows/samples/users.list). * Windows separators should contain double forward slashes '\\' (i.e. $SPLUNK_HOME\\etc\\apps\\windows\\samples\\users.list). * Unix separators will work on Windows and vice-versa. * Column numbers in mvfile or seqfile references are indexed at 1, meaning the first column is column 1, not 0. * <integer> used as the seed for integerid. * Defaults to None.

Re: Event gen: timestamp for epoch time

Nith — Wed, 11 Nov 2020 15:07:15 GMT

Thank you for your reply @renjith_nair

I want to replace it with the current date and time in epoch time format.

Re: Event gen: timestamp for epoch time

Nith — Wed, 11 Nov 2020 15:30:28 GMT

To be more specific @renjith_nair

I've the data like this "$date": 1589530298000

this is an old date epoch time

so I'm trying to replace it with the current date and time same as epoch time format.

for that I used the conf like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = I've no idea what to add here to replace the old epoch time to current date and tiime in epoch time,

I hope you understand.

Thanks in advance

Re: Event gen: timestamp for epoch time

renjith_nair — Thu, 12 Nov 2020 13:01:47 GMT

Looks like it depends on the earliest and latest time you configure. So if you are configuring earliest and latest to the recent time (for e. -10m -> now() ) and provide a strptime format, then it should replace the timestamp. Not tested though

Re: Event gen: timestamp for epoch time

Nith — Fri, 13 Nov 2020 07:57:34 GMT

Hello @renjith_nair

thanks for your response,

Actually strptime format is the problem, I've used a format like %s but it is only providing 10 digit epoch time instead of 13, and the events are changing from raw data to JSON format automatically.

Re: Event gen: timestamp for epoch time

renjith_nair — Mon, 16 Nov 2020 07:27:57 GMT

Timestamp in data e.g. 1589530298000 resolves to a future date due to the tailing zeros. I haven't tried but can't you adjust the regex to capture only the 10 digits and convert them. Sorry I can't think of any other methods

Re: Event gen: timestamp for epoch time

robertlynch2020 — Thu, 30 Mar 2023 11:56:24 GMT

Did you get an answer to this?

I am also trying to generate data in epoch, but not sure how to do it

Any help would be great thanks

Rob