i have indexed logs with epoc time format in the raw event like 1623070612620000000,
and this time field is parsed in this format also.
i want to convert this time format to human readable one in permanent way, how can i do that ?
Search-time conversion, You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.
Then inside props.conf, place this conf on Search Head, $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.
A new filed will get added as 'readable_time' when you search the sourcetype.
An upvote would be appreciated if it helps!
View solution in original post
Based on the epoch time value you provided, I am assuming it is with nano seconds.
If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds.If it is not _time, You can create a calculated field using something like thisstrftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")If you are doing it in search:| eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")