Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change epoc time to human readable format

islam
Explorer
‎06-10-2021 05:33 PM

Hi,

i have indexed logs with epoc time format in the raw event like 1623070612620000000,

and this time field is parsed in this format also.

i want to convert this time format to human readable one in permanent way, how can i do that ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-10-2021 06:56 PM

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rupkumar4sec
Path Finder
‎06-10-2021 06:59 PM

Based on the epoch time value you provided, I am assuming it is with nano seconds.


If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds.

If it is not _time, You can create a calculated field using something like this
strftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")

If you are doing it in search:
| eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")


0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-10-2021 06:56 PM

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...