I have this on my log including epoch time, how I can convert the time next to msg to readable time.
"rank=msg(1489546552.151:69280424)"
...|rex field=rank "msg\((?<epoch>\d+\.\d+)"
| convert ctime(epoch)
| table epoch
Like this:
The setup:
| makeresults | eval rank="msg(1489546552.151:69280424)"
The solution:
| rex field=rank "msg\((?<epoch>\d+\.\d+)"
| fieldformat epoch=strftime(epoch, "%m/%d/%Y %H:%M:%S")
...|rex field=rank "msg\((?<epoch>\d+\.\d+)"
| convert ctime(epoch)
| table epoch
thanks ,that works as expected.