topic Re: Not seeing any results with strftime in Splunk Search

Why am I Not seeing any results with strftime?

mninansplunk — Wed, 30 Aug 2023 16:33:26 GMT

Hello everyone,

I am going crazy trying to figure out why this isn't working. I have a field called "alert.createdAt" that contains an EPOCH time. (1693398386408). I need to convert this to be Human Readable (08/30/2023 09:26:47). However, when using the strftime, I don't see anything being returned.

My Search is:

SEARCH | eval c_time=strftime (alert.createdAt,"%m-%d-%Y %H:%M:%S") | table c_time

I have been going thru all of the previous solutions I could find, but I can't seem to get this to work. Is there another way to achieve this, or am I just way off on how I am trying to do this. : )

Thanks for any help, much appreciated

Tom

Re: Not seeing any results with strftime

ITWhisperer — Wed, 30 Aug 2023 13:58:05 GMT

Field names with special characters such as dots (.) need to be referenced in single quotes, plus it looks like you time value is in milliseconds not seconds (used by epoch time). Try this:

Re: Not seeing any results with strftime

mninansplunk — Wed, 30 Aug 2023 14:35:37 GMT

Thank you very much for the quick help, that did the trick.