topic Re: Timestamp in 1/1/1900 format in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Timestamp-in-1-1-1900-format/m-p/522567#M88258 <P>I ended up just resolving this "well enough" with some field extractions.&nbsp; I made two field extractions to get the "timestamp_1900" and "timestamp_1900fract", then made a calculated field for "timestamp" with this sourcetype.&nbsp; The calculation looks like:</P><P>&nbsp;</P><P><SPAN>strftime(timestamp_1900 - 2208988800 + round(timestamp_1900fract / 4294967295, 3), "%m-%d-%Y %H:%M:%S.%3N")</SPAN></P> Thu, 01 Oct 2020 18:31:07 GMT craigkleen 2020-10-01T18:31:07Z Timestamp in 1/1/1900 format https://community.splunk.com/t5/Getting-Data-In/Timestamp-in-1-1-1900-format/m-p/520910#M88038 <P>Hi,</P><P>I'm trying to get data in from a file where data is in the following format (anonymized):</P><P><SPAN>{"</SPAN><SPAN class="t">seq</SPAN><SPAN>"</SPAN><SPAN class="t">:55619</SPAN><SPAN>,"</SPAN><SPAN class="t">ntp_time</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>[</SPAN><SPAN class="t">3809782725</SPAN><SPAN>,</SPAN><SPAN class="t">1802580594</SPAN><SPAN>],"</SPAN><SPAN class="t">reporting_id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">tugid</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"server</SPAN><SPAN>","</SPAN><SPAN class="t">ep_type</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">sip</SPAN><SPAN>","</SPAN><SPAN class="t">side</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">SS</SPAN><SPAN>","</SPAN><SPAN class="t">mac</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"aa:bb:cc:dd:ee:ff</SPAN><SPAN>","</SPAN><SPAN class="t">user</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"username</SPAN><SPAN>","</SPAN><SPAN class="t">dn</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">43128</SPAN><SPAN>"},"</SPAN><SPAN class="t">stream_id</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">sip_callid</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">hexstring</SPAN><SPAN>","</SPAN><SPAN class="t">local_uri</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">sips:emailstring:5061</SPAN><SPAN>","</SPAN><SPAN class="t">remote_uri</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">sips:emailstring:5061</SPAN><SPAN>;</SPAN><SPAN class="t">transport=tls</SPAN><SPAN>","</SPAN><SPAN class="t">ep_stream_id</SPAN><SPAN>"</SPAN><SPAN class="t">:5053</SPAN><SPAN>},"</SPAN><SPAN class="t">event</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">rtcp_tx</SPAN><SPAN>","</SPAN><SPAN class="t">rtcp_block</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">addr_local</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"ipaddr</SPAN><SPAN class="t">:24794</SPAN><SPAN>","</SPAN><SPAN class="t">addr_remote</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"ipaddr</SPAN><SPAN class="t">5036</SPAN><SPAN>","</SPAN><SPAN class="t">cname</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"emailstring</SPAN><SPAN>","</SPAN><SPAN class="t">snd_ssrc</SPAN><SPAN>"</SPAN><SPAN class="t">:680275594</SPAN><SPAN>,"</SPAN><SPAN class="t">recv_ssrc</SPAN><SPAN>"</SPAN><SPAN class="t">:3888553685</SPAN><SPAN>,"</SPAN><SPAN class="t">snd_pktcnt</SPAN><SPAN>"</SPAN><SPAN class="t">:206158433963</SPAN><SPAN>,"</SPAN><SPAN class="t">snd_bcnt</SPAN><SPAN>"</SPAN><SPAN class="t">:4121132523374324448</SPAN><SPAN>,"</SPAN><SPAN class="t">rx_loss_total</SPAN><SPAN>"</SPAN><SPAN class="t">:139753940844544</SPAN><SPAN>,"</SPAN><SPAN class="t">rx_loss_fract</SPAN><SPAN>"</SPAN><SPAN class="t">:0</SPAN><SPAN>,"</SPAN><SPAN class="t">rx_jtr</SPAN><SPAN>"</SPAN><SPAN class="t">:-139758235811834</SPAN><SPAN>,"</SPAN><SPAN class="t">rtt</SPAN><SPAN>"</SPAN><SPAN class="t">:139753940844544</SPAN><SPAN>},"</SPAN><SPAN class="t">rtp_stats</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">observed_pt</SPAN><SPAN>"</SPAN><SPAN class="t">:0</SPAN><SPAN>,"</SPAN><SPAN class="t">observed_codec</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">RTP_CODEC_G711_U</SPAN><SPAN>"}}</SPAN></P><P>So, a nice JSON.&nbsp; But, that pair of integers in ntp_time{} are seconds since 1/1/1900 and a fractional second, not 1/1/1970.&nbsp; I'm really, really hoping I don't have to write a second script that writes out the correct timestamp.</P><P>On my indexers, for the sourcetype I've defined for this, I've the following:</P><P>[baddate]<BR />REGEX = ntp_time\":\[(?&lt;baddate&gt;\d+)</P><P>INGEST_EVAL = gooddate = baddate - 2208988800</P><P>I also have props.conf calling the transform, and fields.conf setting "INDEXED=True" for baddate.&nbsp; But I don't get the field in search yet.&nbsp; Would this even work though?&nbsp; Does anyone have any other strategies I can try?&nbsp; I don't really care about the fractional second, but would work it in if I can get something to work.</P> Tue, 22 Sep 2020 18:38:35 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-in-1-1-1900-format/m-p/520910#M88038 craigkleen 2020-09-22T18:38:35Z Re: Timestamp in 1/1/1900 format https://community.splunk.com/t5/Getting-Data-In/Timestamp-in-1-1-1900-format/m-p/522567#M88258 <P>I ended up just resolving this "well enough" with some field extractions.&nbsp; I made two field extractions to get the "timestamp_1900" and "timestamp_1900fract", then made a calculated field for "timestamp" with this sourcetype.&nbsp; The calculation looks like:</P><P>&nbsp;</P><P><SPAN>strftime(timestamp_1900 - 2208988800 + round(timestamp_1900fract / 4294967295, 3), "%m-%d-%Y %H:%M:%S.%3N")</SPAN></P> Thu, 01 Oct 2020 18:31:07 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-in-1-1-1900-format/m-p/522567#M88258 craigkleen 2020-10-01T18:31:07Z