Solved: Convert Epoch timestamp - Splunk Community

Getting Data In

I am trying to convert epoch timestamp of stopTime into %m/%d/%Y %H:%M:%S , but I am getting 12/31/9999 23:59:59

"traceId":xxxxx,"startTime":1395740488120,"stopTime":1395740497550

This is what I am using -

rex "^(?:[^:\n]*:){3}(?P<endtime>\d+)" | eval StopTime=strftime(endtime, "%m/%d/%Y %H:%M:%S")

Could someone please let me know what could be the problem?

TIA

1 Solution

Solution

Hi,

Are you using the time in millisecond format? Please see following time comparison:
1427110824 - Epoch time for today
1395740497550

If you divide endtime by 1000, it should work fine.

Thanks!

View solution in original post

Solution

Hi,

Are you using the time in millisecond format? Please see following time comparison:
1427110824 - Epoch time for today
1395740497550

If you divide endtime by 1000, it should work fine.

Thanks!

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...