topic Re: How to convert epoch time to human readable format in search query? in Splunk Search

How to convert epoch time to human readable format in search query?

ziyod2005 — Fri, 08 Aug 2014 19:14:01 GMT

Could someone please help me convert epoch time to human readable time?

"time":1407361408100

this is what i'm trying to get "time":"Wed, 06 Aug 2014 21:43:28"

Re: How to convert epoch time to human readable format in search query?

somesoni2 — Fri, 08 Aug 2014 19:24:16 GMT

Where are you trying to convert this?

Re: How to convert epoch time to human readable format in search query?

ziyod2005 — Mon, 28 Sep 2020 17:17:56 GMT

I'm trying to convert 1407361408100 to some human readable format.

I've tried to used convert function but not getting the correct result
sourcetype=test | convert timeformat=" %m/%d/%y %H:%M:%S" ctime(log_time) AS c_time | table _time, c_time

Re: How to convert epoch time to human readable format in search query?

strive — Fri, 08 Aug 2014 19:38:46 GMT

Try this

sourcetype=test | eval c_time=strftime(log_time,"%m/%d/%y %H:%M:%S") | table _time, c_time

the function strftime(X,Y) takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y.

Re: How to convert epoch time to human readable format in search query?

somesoni2 — Fri, 08 Aug 2014 19:46:49 GMT

Issues that I see.

1) in the timeformat there is an extra space. Remove that
2) The field name used in ctime need to be verified. Do you have a field called log_time apart from _time field??

Re: How to convert epoch time to human readable format in search query?

ziyod2005 — Fri, 08 Aug 2014 19:49:25 GMT

Here's what I'm getting
1406263182098 12/31/99 23:59:59

Instead I should be getting:

GMT: Fri, 25 Jul 2014 04:39:42 GMT

Re: How to convert epoch time to human readable format in search query?

ziyod2005 — Mon, 28 Sep 2020 17:18:04 GMT

Here is my actual query

source = "*.job" | eval c_time=strftime(time,"%m/%d/%y %H:%M:%S") | table time, c_time

time field does exist and that's the field that I'm trying to convert

Re: How to convert epoch time to human readable format in search query?

somesoni2 — Fri, 08 Aug 2014 19:56:04 GMT

Use "%a,%d %b %Y %H:%M:%S" instead of "%m/%d/%y %H:%M:%S %Z".

Re: How to convert epoch time to human readable format in search query?

kristian_kolb — Fri, 08 Aug 2014 20:05:30 GMT

Milliseconds to blame? %3N

Re: How to convert epoch time to human readable format in search query?

ziyod2005 — Fri, 08 Aug 2014 21:11:51 GMT

I think we're getting close 🙂
1406263182098 Fri,31 Dec 9999 23:59:59
1406263177094 Fri,31 Dec 9999 23:59:59

Re: How to convert epoch time to human readable format in search query?

landen99 — Wed, 17 Sep 2014 12:29:57 GMT

call me lazy, but ..

eval c_time=strftime(log_time,"%F %T")

Re: How to convert epoch time to human readable format in search query?

arungeorge09 — Fri, 14 Nov 2014 11:08:08 GMT

I am unable to get this working too. I tried all the options and unable to see date in human readable format.

Re: How to convert epoch time to human readable format in search query?

mcronkrite — Mon, 28 Sep 2020 18:53:35 GMT

^^^ This is the answer!
eval c_time=strftime(log_time,"%F %T")

Re: How to convert epoch time to human readable format in search query?

daivish — Tue, 12 May 2015 23:58:53 GMT

@ziyod2005 Can you post your resolution here ? As i have similar issue... None of posted answers helping me to resolve my issue. Did you ever got your resolution on this question ?

Re: How to convert epoch time to human readable format in search query?

daivish — Tue, 12 May 2015 23:59:46 GMT

@ziyod2005 -- Can you post the correct Answer if you ever got the solution on this problem?

Re: How to convert epoch time to human readable format in search query?

mmensch — Tue, 29 Sep 2020 07:18:00 GMT

You have to see what units your epoch time value is in. If it is not working, try dividing the number by 1000 first. 🙂

Example:

|eval log_time=log_time/1000 |eval c_time=strftime(log_time,"%F %T") | table log_time, c_time

Re: How to convert epoch time to human readable format in search query?

Dev_Choudhary — Tue, 29 Sep 2020 14:53:51 GMT

Try this
| eval Time=strftime(log_time_field/1000, "%d-%m-%Y %H:%M:%S")

Re: How to convert epoch time to human readable format in search query?

nick405060 — Fri, 22 Feb 2019 22:15:06 GMT

Downvoted. Considering converting from epoch is one of the most common Splunk questions of all time, considering this page has 46k views, and considering that each and every answer is entirely incorrect (and the actual question itself is misleading) this page is desperately in need of removal.

1) The question doesn't actually provide a standard epoch time. A millisecond epoch time is provided
2) The answer with 16 votes (?????) fails to divide by 1000 OR provide the correct format
3) The answer with 3 votes (?????) fails to provide the correct format

@somesoni2's comment of "%a,%d %b %Y %H:%M:%S"is correct, although technically you need to divide by 1000 if you are to use the millisecond epoch time that the post provides. 99% of people who find this page are merely looking to convert epoch time to the default Splunk human-readable format, in which case what they are looking for is barely on this page. They are most likely looking for "%Y-%m-%d %H:%M:%S" which is mentioned nowhere, or possibly "%F %T" as mentioned in the comments.

I've been told that the initial question has not been retroactively edited in any way which begs the question of what happened???? I understand comments from a comment chain were likely converted to answers without the correct context, but still. Part of the problem is that, in the comment chain, the parameters surrounding the initial question were changed by the asker. Smh. This is a giant mess.

@mstjohn_splunk

Re: How to convert epoch time to human readable format in search query?

vijaysubramania — Tue, 04 Aug 2020 06:34:51 GMT

This Works. How do I calculate if I want to see the difference between 2 epoch times and displayed in hrs

Re: How to convert epoch time to human readable format in search query?

vijaysubramania — Tue, 04 Aug 2020 06:36:55 GMT

Thats Correct.

|eval start=strftime(viewingPeriodStart/1000,"%a,%d %b %Y %H:%M:%S")

|eval end=strftime(viewingPeriodEnd/1000,"%a,%d %b %Y %H:%M:%S")

Also, How do i find difference between 2 times in hrs?