Solved: Convert Epoch timestamp - Splunk Community

Getting Data In

I am trying to convert epoch timestamp of stopTime into %m/%d/%Y %H:%M:%S , but I am getting 12/31/9999 23:59:59

"traceId":xxxxx,"startTime":1395740488120,"stopTime":1395740497550

This is what I am using -

rex "^(?:[^:\n]*:){3}(?P<endtime>\d+)" | eval StopTime=strftime(endtime, "%m/%d/%Y %H:%M:%S")

Could someone please let me know what could be the problem?

TIA

1 Solution

Solution

Hi,

Are you using the time in millisecond format? Please see following time comparison:
1427110824 - Epoch time for today
1395740497550

If you divide endtime by 1000, it should work fine.

Thanks!

View solution in original post

Solution

Hi,

Are you using the time in millisecond format? Please see following time comparison:
1427110824 - Epoch time for today
1395740497550

If you divide endtime by 1000, it should work fine.

Thanks!

Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...