i have a raw data like 123::1312:3232::429384 and trying to included to my splunk ( to add data )
the last data 429384 is my second and i want this value to be my time stamp ..
what can i do ? :-<
"the last data 429384 is my second..."
So, the second since WHEN? Internally Splunk converts timestamps (one per event) into
epoch which is the number of seconds since midnight Jan 1 1970. Currently, such values are 1389169530 or above. As you can see, your values of 400K is little over a week, say Jan 8 1970. Perhaps your timestamp is counting since the start of 2014, or your system still thinks it's 1970.
If you ALSO think it's 1970, you can set
TIME_FORMAT = %s
in props.conf. 🙂
Otherwise you'll have to reconfigure your system/application to create better timestamps.
extract the seconds as new field, if not done already. Use this new field in an eval to replace _time.
your search | rex "(?
this will replace _time with the value of the seconds from your raw data. the regex is based on the provided data, this means the format does not change nor will there be any other events.
okay, use eval with function tostring()
tostring(X,"duration") converts seconds X to readable time format HH:MM:SS.
does that make sense?