thanks.... i think i got it!!!!

thanks for MuS and kristian.kolb

You say;

"the last data 429384 is my second..."

So, the second since WHEN? Internally Splunk converts timestamps (one per event) into epoch which is the number of seconds since midnight Jan 1 1970. Currently, such values are 1389169530 or above. As you can see, your values of 400K is little over a week, say Jan 8 1970. Perhaps your timestamp is counting since the start of 2014, or your system still thinks it's 1970.

If you ALSO think it's 1970, you can set TIME_FORMAT = %s
in props.conf. 🙂

Otherwise you'll have to reconfigure your system/application to create better timestamps.

extract the seconds as new field, if not done already. Use this new field in an eval to replace _time.

your search | rex "(?\d+)$" | eval _time=MyTime

this will replace _time with the value of the seconds from your raw data. the regex is based on the provided data, this means the format does not change nor will there be any other events.

um... i can't even search the datas..
My seconds raw data is not getting into the timestamp
my raw data time stamp is showing the current time...

okay, use eval with function tostring()
tostring(X,"duration") converts seconds X to readable time format HH:MM:SS.
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

does that make sense?

i am looking for converting my raw second data to timestamp...

NOT converting the format of the timestamp ..