Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Epoch time stamp delemma - how do I convert the epoch time stamp upon ingestion ?

jcorcorans
Explorer
‎07-08-2024 11:14 AM

Is there a Regex to convert the epoch to human readable time upon ingestion ?

 

 

[1720450799] Error: Got check result for service 'CPU Usage' on host.
[1720450799] Error: Got check result for service 'Disk Usage var' on host.
[1720450799] Error: Got check result for service 'Disk Usage opt' on host.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
‎07-08-2024 11:23 AM

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-10-2024 02:31 PM

Hi @jcorcorans .. one basic query.. do you want to onboard the logs or the logs already onboarded and they contain timestamp in epoch format(for example - 1720450799)


using the props.conf, during the data onboarding/ingestion, we can specify which field got the timestamp and its format. so splunk will read the timestamp and the logs fine.  (the timestamp internal to splunk is epoch time format. when displaying on search results, Splunk converts the timestamp to human readable format)

once you have ingested/onboarded the logs, and the timestamp is still showing as epoch format, then, you can use convert functions. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-08-2024 11:14 PM

Try something like this

TIME_FORMAT = [%s]
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-08-2024 11:06 PM

Hi @jcorcorans ,

as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display.

If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion:

<your_search>
| rex "\[(?<epoch_timestamp>\d+)\]"
| eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

marnall
Motivator
‎07-08-2024 11:23 AM

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top