topic convert epoch time to human readable format issue in Getting Data In

convert epoch time to human readable format issue

Arpmjdr — Wed, 30 Sep 2020 02:09:32 GMT

Hello Fellows,

I am trying to convert epoch time to "%m/%d/%Y %H:%M:%S" format. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. It is not showing any value in the human readable time column.Kindly help

events:

query I am using:
index=abc sourcetype=xyz
| rex field=_raw ^(?P\d+\s+)
| eval timestamp=strftime(strptime(epoch_time,"%m/%d/%Y %H:%M:%S"),"%m/%d/%Y %H:%M:%S")
| table host epoch_time timestamp

Re: convert epoch time to human readable format issue

Sukisen1981 — Tue, 10 Sep 2019 08:11:14 GMT

can you show how your extracted epoch time looks like?

Re: convert epoch time to human readable format issue

Arpmjdr — Tue, 10 Sep 2019 08:17:04 GMT

sure.it is reflecting as "1568095811"

Re: convert epoch time to human readable format issue

Arpmjdr — Wed, 30 Sep 2020 02:09:35 GMT

i have used this to extract "| rex field=_raw ^(?P(epoch_time)\d+\s+)" .. the line dint come properly while posting the question.

Re: convert epoch time to human readable format issue

Sukisen1981 — Wed, 30 Sep 2020 02:09:40 GMT

if your epoch_time is coming as a number, you probably need this eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")| table host epoch_time timestamp

Re: convert epoch time to human readable format issue

Arpmjdr — Tue, 10 Sep 2019 09:31:17 GMT

I have tried this already.But no value is coming in the "timestamp" column in the table

Re: convert epoch time to human readable format issue

Sukisen1981 — Tue, 10 Sep 2019 09:35:20 GMT

can you check if the epoch_time is coming as number or string when you extract it? it should come as # indicating number type, if it is coming as string use a tonumber() to convert the string to a number

Re: convert epoch time to human readable format issue

jpolvino — Tue, 10 Sep 2019 19:41:40 GMT

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

Re: convert epoch time to human readable format issue

Arpmjdr — Wed, 11 Sep 2019 11:35:57 GMT

you are 100% correct @jpolvino my rex command was not proper.Now it is working perfect ..Thank u 🙂

Re: convert epoch time to human readable format issue

Arpmjdr — Wed, 11 Sep 2019 11:38:08 GMT

My rex command was not correct @Sukisen1981 . now it worked..Appreciate your inputs 🙂