Hello Fellows,
I am trying to convert epoch time to "%m/%d/%Y %H:%M:%S" format. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. It is not showing any value in the human readable time column.Kindly help
events:
query I am using:
index=abc sourcetype=xyz
| rex field=_raw ^(?P\d+\s+)
| eval timestamp=strftime(strptime(epoch_time,"%m/%d/%Y %H:%M:%S"),"%m/%d/%Y %H:%M:%S")
| table host epoch_time timestamp
Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.
This fails to return a timestamp field:
| makeresults
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")
But this does return the field:
| makeresults
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")
Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.
Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!
Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.
This fails to return a timestamp field:
| makeresults
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")
But this does return the field:
| makeresults
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")
Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.
Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!
you are 100% correct @jpolvino my rex command was not proper.Now it is working perfect ..Thank u 🙂
can you show how your extracted epoch time looks like?
sure.it is reflecting as "1568095811"
i have used this to extract "| rex field=_raw ^(?P(epoch_time)\d+\s+)" .. the line dint come properly while posting the question.
if your epoch_time is coming as a number, you probably need this eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")| table host epoch_time timestamp
I have tried this already.But no value is coming in the "timestamp" column in the table
can you check if the epoch_time is coming as number or string when you extract it? it should come as # indicating number type, if it is coming as string use a tonumber() to convert the string to a number
My rex command was not correct @Sukisen1981 . now it worked..Appreciate your inputs 🙂