Getting Data In

convert epoch time to human readable format issue

Arpmjdr
Explorer

Hello Fellows,

I am trying to convert epoch time to "%m/%d/%Y %H:%M:%S" format. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. It is not showing any value in the human readable time column.Kindly help

events:

query I am using:
index=abc sourcetype=xyz
| rex field=_raw ^(?P\d+\s+)
| eval timestamp=strftime(strptime(epoch_time,"%m/%d/%Y %H:%M:%S"),"%m/%d/%Y %H:%M:%S")
| table host epoch_time timestamp

0 Karma
1 Solution

jpolvino
Builder

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

View solution in original post

jpolvino
Builder

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

Arpmjdr
Explorer

you are 100% correct @jpolvino my rex command was not proper.Now it is working perfect ..Thank u 🙂

0 Karma

Sukisen1981
Champion

can you show how your extracted epoch time looks like?

0 Karma

Arpmjdr
Explorer

sure.it is reflecting as "1568095811"

0 Karma

Arpmjdr
Explorer

i have used this to extract "| rex field=_raw ^(?P(epoch_time)\d+\s+)" .. the line dint come properly while posting the question.

0 Karma

Sukisen1981
Champion

if your epoch_time is coming as a number, you probably need this eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")| table host epoch_time timestamp

0 Karma

Arpmjdr
Explorer

I have tried this already.But no value is coming in the "timestamp" column in the table

0 Karma

Sukisen1981
Champion

can you check if the epoch_time is coming as number or string when you extract it? it should come as # indicating number type, if it is coming as string use a tonumber() to convert the string to a number

0 Karma

Arpmjdr
Explorer

My rex command was not correct @Sukisen1981 . now it worked..Appreciate your inputs 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...