topic Re: How to convert epoch to human readable format at index time? in Splunk Search

How to convert epoch to human readable format at index time?

ricotries — Thu, 06 Feb 2020 14:27:43 GMT

I am currently monitoring a file that generates logs, but assigns the time in epoch format. Is there a way to transform/convert the epoch timestamp to a human readable format during index time?

(I know there is a way to do this in a search query, but I would like to store the timestamp in a human readable format.)

EDIT:
The file I am monitoring is /root/.bash_history (I made system configuration changes to make sure that every command execution is stored immediately) and most of the time Splunk does a very good job at assigning timestamps to each command execution, but sometimes it will create one event with multiple commands and assigns one timestamp to all of them. So I decided to generate a timestamp that is appended to every command.

The way they are listed in the file is as such:

#1234567890
<command>

Now, I've set the correct configuration in props.conf to ensure that every two strings is one event, but now I'm trying to assign the "1234567890" as the timestamp of the event and make sure it shows in human readable format for search results.

Re: How to convert epoch to human readable format at index time?

gcusello — Thu, 06 Feb 2020 14:36:20 GMT

Hi @ricotries,
when an event is indexed in Splunk a timestamp is assigned to it (at indextime) and stored in the _time field that's a field in epochtime but displayed in human readable format, so I don't understand your need, and it must be in epochtime to do all the calculations in events display.
Anyway, if you want to have another field with the timestamp in human readable format, you could create a calculated field, starting from _time that displays timestamp in the format you want using the strftime function.

Ciao.
Giuseppe

Re: How to convert epoch to human readable format at index time?

oscar84x — Thu, 06 Feb 2020 14:42:45 GMT

Is it the actual timestamp from the event? If Splunk is not picking it up automatically you can use Timestamp format, Timestamp prefix, and lookahead to tell Splunk where the timestamp is and how to read it.
Can you provide a few sample events?

Re: How to convert epoch to human readable format at index time?

ricotries — Thu, 06 Feb 2020 14:42:52 GMT

Let me see if I understood your answer correctly. _time already stores the timestamp of an event in epoch but during a search it is displayed in human readable format?

Re: How to convert epoch to human readable format at index time?

gcusello — Thu, 06 Feb 2020 14:50:16 GMT

Hi @ricotries,
yes, the displayed timestamp of your events isn't in human readable format?

if you don't like the used format, you can change it using strftime function, but it's readable!

Anyway, _time must be in epochtime otherwise you cannot do comparisons between dates: infact if you want to compare two dates in Human readable format, you have to convert in epochtime, compare them and eventually re convert in human.

Ciao.
Giuseppe

Re: How to convert epoch to human readable format at index time?

ricotries — Thu, 06 Feb 2020 16:30:47 GMT

I was not understanding how Splunk assigns timestamps but after reading your responses and doing some testing, I figured it out. Thank you!