Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Epoch time stamp delemma - how do I convert the epoch time stamp upon ingestion ?

jcorcorans
Engager
‎07-08-2024 11:14 AM

Is there a Regex to convert the epoch to human readable time upon ingestion ?

 

 

[1720450799] Error: Got check result for service 'CPU Usage' on host.
[1720450799] Error: Got check result for service 'Disk Usage var' on host.
[1720450799] Error: Got check result for service 'Disk Usage opt' on host.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
‎07-08-2024 11:23 AM

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-10-2024 02:31 PM

Hi @jcorcorans .. one basic query.. do you want to onboard the logs or the logs already onboarded and they contain timestamp in epoch format(for example - 1720450799)


using the props.conf, during the data onboarding/ingestion, we can specify which field got the timestamp and its format. so splunk will read the timestamp and the logs fine.  (the timestamp internal to splunk is epoch time format. when displaying on search results, Splunk converts the timestamp to human readable format)

once you have ingested/onboarded the logs, and the timestamp is still showing as epoch format, then, you can use convert functions. 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2024 11:14 PM

Try something like this

TIME_FORMAT = [%s]
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-08-2024 11:06 PM

Hi @jcorcorans ,

as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display.

If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion:

<your_search>
| rex "\[(?<epoch_timestamp>\d+)\]"
| eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

marnall
Motivator
‎07-08-2024 11:23 AM

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise Security 8.0!

Join us on Wednesday, November 20 to learn about Splunk Enterprise Security 8.0!To enhance SOC efficiency, ...

Mastering Threat Hunting

Register to watch Mastering Threat Hunting on Monday, November 18Join us for an insightful talk where we dive ...

Upcoming Community Maintenance: 10/28

Howdy folks, just popping in to let you know that the Splunk Community site will be in read-only mode ...