topic Re: How to convert _time column to epoch time in Splunk Search

How to convert _time column to epoch time

Becherer — Wed, 30 Sep 2020 01:07:45 GMT

I need to convert the _time to epoch time. How is this done? Here is my time format and my cell is "_time".
I have tried in the search box the following line.

| eval epoch1=strptime(_time,"%m/%d/%y %I:%M:%N %p")

_time

6/27/19
2:29:09.000 PM

6/27/19
3:29:09.000 PM

6/27/19
5:29:09.000 PM

Thank you!

Re: How to convert _time column to epoch time

mdsnmss — Thu, 27 Jun 2019 20:06:11 GMT

| eval epoch1=_time

Re: How to convert _time column to epoch time

Becherer — Thu, 27 Jun 2019 20:10:55 GMT

@mdsnmss

I tried that but it still is showing the same. Do I need to change the %s?

Re: How to convert _time column to epoch time

mdsnmss — Thu, 27 Jun 2019 20:15:36 GMT

You are trying to get the field _time itself to display epoch? What is the full search? I don't believe you can actually overwrite _time so have to use the other field to display epoch.

Re: How to convert _time column to epoch time

mdsnmss — Wed, 30 Sep 2020 01:04:27 GMT

One thing I forgot is _time actually is already in epoch but just displayed human readable in Splunk UI. All you would need is | eval epoch1=_time

Re: How to convert _time column to epoch time

Becherer — Thu, 27 Jun 2019 20:26:00 GMT

I have tried both but cant seem to change the field. could I display the epoch time in a differet column?

index=EventEndpoint
| eval date=strftime(date,"%c")

And

index=EventEndpoint
| eval epoch1=_time

Re: How to convert _time column to epoch time

Becherer — Thu, 27 Jun 2019 20:26:23 GMT

@mdsnmss

I have tried both but cant seem to change the field. could I display the epoch time in a differet column?

index=EventEndpoint
| eval date=strftime(date,"%c")

And

index=EventEndpoint
| eval epoch1=_time

Re: How to convert _time column to epoch time

mdsnmss — Thu, 27 Jun 2019 20:30:07 GMT

What are you using to display the data? Those base searches will only return raw results and not a stats/visualization. index=EventEndpoint | eval date=_time | table date _time will show you the time in both epoch and human readable time.

Re: How to convert _time column to epoch time

jnudell_2 — Wed, 30 Sep 2020 01:04:35 GMT

HI @Becherer ,

_time is always stored in the Splunk indexes as an epoch time value. When you use _time in a search, Splunk assumes you want to see a human-readable time value, instead of an epoch time number of seconds. It also assumes that you want to see this human readable time value in the current time zone of the user account that is currently logged in.

If you want to see the actual epoch time value, you can use eval to create an epoch time representation instead:

 | eval time_epoch = strftime(_time, "%s")

As @mdsnmss suggested, you could also do

 | eval epoch1 = _time

Which also works, because Splunk only makes the human readable assumption for _time, and anything else that you set to _time will be a epoch time value.

I hope this helps.