Hi @renjith_nair ,

thank you for your reply,

Actually, I'm not trying to convert the epoch time. I need it as in the epoch time format.

I'd like to generate epoch time in the same format(1589479343000) so I just need the timestamp for that specified epoch time(if it is possible).

I'd like to generate multiple events in the Eventgen app, so I need the timestamp to generate epoch time.

not the conversion of any time format.

I have a data like this :"$date": 1589530298000

to generate more data in Eventgen App I used the token like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = ?

what should I add in the token.2.replacement=  to get the epochtime.

Thank you

Sorry, not sure if I have got it correctly.

So you have an epoch as part of your data which is in the format "$date": 1589530298000

Do you want to replace it with or convert? If you do not want to replace , just dont add anything to the replacement.

token.<n>.replacement = <string> | <strptime> | ["list","of","strptime"] | guid | ipv4 | ipv6 | mac | integer[<start>:<end>] | float[<start>:<end>] | string(<i>) | hex(<i>) | list["list", "of", "values"] | <replacement file name> | <replacement file name>:<column number> | <integer>
* 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
* For <string>, the token will be replaced with the value specified.
* For <strptime>, a strptime formatted string to replace the timestamp with
* For ["list","of","strptime"], only used with replaytimestamp, a JSON formatted list of strptime
  formats to try. Will find the replace with the same format which matches the replayed timestamp.
* For guid, the token will be replaced with a random GUID value.
* For ipv4, the token will be replaced with a random valid IPv4 Address (i.e. 10.10.200.1).
* For ipv6, the token will be replaced with a random valid IPv6 Address (i.e. c436:4a57:5dea:1035:7194:eebb:a210:6361).
* For mac, the token will be replaced with a random valid MAC Address (i.e. 6e:0c:51:c6:c6:3a).
* For integer[<start>:<end>], the token will be replaced with a random integer between 
  start and end values where <start> is a number greater than 0 
  and <end> is a number greater than 0 and greater than or equal to <start>. If rated,
  will be multiplied times hourOfDayRate and dayOfWeekRate.
* For float[<start>:<end>], the token will be replaced with a random float between
  start and end values where <end> is a number greater than or equal to <start>.
  For floating point numbers, precision will be based off the precision specified
  in <start>. For example, if we specify 1.0, precision will be one digit, if we specify
  1.0000, precision will be four digits. If rated, will be multiplied times hourOfDayRate and dayOfWeekRate.
* For string(<i>), the token will be replaced with i number(s) of ASCII characters where 'i' is a number greater than 0.
* For hex(<i>), the token will be replaced with i number of Hexadecimal characters [0-9A-F] where 'i' is a number greater than 0.
* For list, the token will be replaced with a random member of the JSON list provided.
* For <replacement file name>, the token will be replaced with a random line in the replacement file.
  * Replacement file name should be a fully qualified path (i.e. $SPLUNK_HOME/etc/apps/windows/samples/users.list).
  * Windows separators should contain double forward slashes '\\' (i.e. $SPLUNK_HOME\\etc\\apps\\windows\\samples\\users.list).
  * Unix separators will work on Windows and vice-versa.
* Column numbers in mvfile or seqfile references are indexed at 1, meaning the first column is column 1, not 0.
* <integer> used as the seed for integerid.
* Defaults to None.

To be more specific @renjith_nair 

I've the data like this "$date": 1589530298000

this is an old date epoch time 

so I'm trying to replace it with the current date and time same as epoch time format.

for that I used the conf like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = I've no idea what to add here to replace the old epoch time to current date and tiime in epoch time,

I hope you understand.

Thanks in advance

Thank you for your reply @renjith_nair 

I want to replace it with the current date and time in epoch time format.

Looks like it depends on the earliest and latest time you configure. So if you are configuring earliest and latest to the recent time (for e. -10m -> now() ) and provide a strptime format, then it should replace the timestamp. Not tested though

Hello @renjith_nair 

thanks for your response,

Actually strptime format is the problem, I've used a format like %s but it is only providing 10 digit epoch time instead of 13, and the events are changing from raw data to JSON format automatically.

Timestamp in data e.g. 1589530298000 resolves to a future date due to the tailing zeros. I haven't tried but can't you adjust the regex to capture only the 10 digits and convert them.  Sorry I can't think of any other methods