topic Re: Converting Epoch Time in Splunk Search

How to Convert Epoch Time?

itsmevic — Mon, 27 Mar 2023 03:08:22 GMT

I'm running the below query to find out when was the last time an index checked in. However, in using this query the output reflects a time format that is in EPOC format. I'd like to convert it to a standard month/day/year format. Any help is appreciated. Thank you.

| tstats latest(_time) WHERE index=* BY index

Re: Converting Epoch Time

richgalloway — Mon, 06 Apr 2020 00:09:57 GMT

There are several ways to do that.

Start with | tstats latest(_time) as time WHERE index=* BY index then add your choice of

| eval time = strftime(time, "%c")

| convert ctime(time)

| fieldformat time = strftime(time, "%c")

Re: Converting Epoch Time

to4kawa — Mon, 06 Apr 2020 00:18:07 GMT

see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

month/day/year format is %x

but

| tstats latest(_time) as _time WHERE index=* BY index

This is enough.

Re: Converting Epoch Time

itsmevic — Mon, 06 Apr 2020 00:27:45 GMT

Using the following worked:

| tstats latest(_time) as time WHERE index=* BY index
| eval time=strftime(time, "%c")

Thank you!

Re: Converting Epoch Time

sxpati2 — Sun, 26 Mar 2023 11:39:55 GMT

This works for me: | eval time = strftime(time, "%c")

Re: Converting Epoch Time

sxpati2 — Sun, 26 Mar 2023 11:45:47 GMT

index=prd* /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/*/applications/submissionView "includeHomeInsuranceDetails=Y" ssl_client_verify= SUCCESS|table request, time|eval time = strftime(time, "%c")

Result:

GET /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/SUB501460231068589/applications/submissionView?brandSilo=ANZYU&includeHomeInsuranceDetails=Y HTTP/1.1	Sun Mar 26 08:09:28 2023
GET /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/SUB503765231068589/applications/submissionView?brandSilo=ANZYD&includeHomeInsuranceDetails=Y HTTP/1.1	Sun Mar 26 08:28:09 2023