Getting Data In

convert epoch time to human readable format issue

Explorer

Hello Fellows,

I am trying to convert epoch time to "%m/%d/%Y %H:%M:%S" format. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. It is not showing any value in the human readable time column.Kindly help

events:

query I am using:
index=abc sourcetype=xyz
| rex field=raw ^(?P\d+\s+)
| eval timestamp=strftime(strptime(epoch
time,"%m/%d/%Y %H:%M:%S"),"%m/%d/%Y %H:%M:%S")
| table host epoch_time timestamp

0 Karma
1 Solution

Builder

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

View solution in original post

Builder

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

View solution in original post

Explorer

you are 100% correct @jpolvino my rex command was not proper.Now it is working perfect ..Thank u 🙂

0 Karma

Champion

can you show how your extracted epoch time looks like?

0 Karma

Explorer

sure.it is reflecting as "1568095811"

0 Karma

Explorer

i have used this to extract "| rex field=raw ^(?P(epochtime)\d+\s+)" .. the line dint come properly while posting the question.

0 Karma

Champion

if your epochtime is coming as a number, you probably need this ` eval timestamp=strftime(epochtime,"%m/%d/%Y %H:%M:%S")| table host epoch_time timestamp`

0 Karma

Explorer

I have tried this already.But no value is coming in the "timestamp" column in the table

0 Karma

Champion

can you check if the epoch_time is coming as number or string when you extract it? it should come as # indicating number type, if it is coming as string use a tonumber() to convert the string to a number

0 Karma

Explorer

My rex command was not correct @Sukisen1981 . now it worked..Appreciate your inputs 🙂

0 Karma