I managed to make the time format from Epoch to human readable but I can't really get the millisecond out.
From Splunk it converted to "5/22/17 5:59:38.000 PM" but from https://www.epochconverter.com/, it is showing
May 22, 2017 5:59:38.314 PM
Reference document: http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configuretimestamprecognition, .%3N should show the milliseconds.
Epoch time should be something like the following: 1495427378.314000, with decimal before millisecond. You can use
%3N to display milliseconds part.
Following is the run anywhere search.
| makeresults | eval timeStamp=strptime("05/22/17 09:59:38.314","%m/%d/%y %H:%M:%S.%3N") | eval stringStamp=strftime(timeStamp,"%m/%d/%y %H:%M:%S.%3N")
Documentation for various time format variables: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
PS: 1st eval is to generate epoch timestamp. I have used second eval just to generate a new field to display time as string. You should ideally use
fieldformat to retain time as epoch while presenting the same as string time which is human readable.
| fieldformat timeStamp=strftime(timeStamp,"%m/%d/%y %H:%M:%S.%3N")
Hi, does it work on 1495427378314000 without the decimal? My log timestamp was displayed without the decimal and I keep getting the time being converted as "12/31/99 23:59:59"