Security

Change epoc time to human readable format

islam
Explorer

Hi,

i have indexed logs with epoc time format in the raw event like 1623070612620000000,

and this time field is parsed in this format also.

i want to convert this time format to human readable one in permanent way, how can i do that ?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

venkatasri
Influencer

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

View solution in original post

0 Karma

rupkumar4sec
Path Finder

Based on the epoch time value you provided, I am assuming it is with nano seconds.


If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds.

If it is not _time, You can create a calculated field using something like this
strftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")

If you are doing it in search:
| eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")


0 Karma

venkatasri
Influencer

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.