Getting Data In

i want to convert my sample data to time stamp.

changwoo
Communicator

i have a raw data like 123::1312:3232::429384 and trying to included to my splunk ( to add data )

the last data 429384 is my second and i want this value to be my time stamp ..

what can i do ? :-<

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi changwoo,

you can find all information about timestamp recognition in the docs.

Take a closer look at Configure timestamps for specific needs

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi changwoo,

you can find all information about timestamp recognition in the docs.

Take a closer look at Configure timestamps for specific needs

cheers, MuS

changwoo
Communicator

thanks.... i think i got it!!!!

thanks for MuS and kristian.kolb

0 Karma

kristian_kolb
Ultra Champion

You say;

"the last data 429384 is my second..."

So, the second since WHEN? Internally Splunk converts timestamps (one per event) into epoch which is the number of seconds since midnight Jan 1 1970. Currently, such values are 1389169530 or above. As you can see, your values of 400K is little over a week, say Jan 8 1970. Perhaps your timestamp is counting since the start of 2014, or your system still thinks it's 1970.

If you ALSO think it's 1970, you can set TIME_FORMAT = %s
in props.conf. 🙂

Otherwise you'll have to reconfigure your system/application to create better timestamps.

MuS
SplunkTrust
SplunkTrust

extract the seconds as new field, if not done already. Use this new field in an eval to replace _time.

your search | rex "(?\d+)$" | eval _time=MyTime

this will replace _time with the value of the seconds from your raw data. the regex is based on the provided data, this means the format does not change nor will there be any other events.

changwoo
Communicator

um... i can't even search the datas..
My seconds raw data is not getting into the timestamp
my raw data time stamp is showing the current time...

0 Karma

MuS
SplunkTrust
SplunkTrust

okay, use eval with function tostring()
tostring(X,"duration") converts seconds X to readable time format HH:MM:SS.
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions

does that make sense?

0 Karma

changwoo
Communicator

i am looking for converting my raw second data to timestamp...

NOT converting the format of the timestamp ..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...