Hi @islam
Search-time conversion, You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.
Then inside props.conf, place this conf on Search Head, $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.
[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")
A new filed will get added as 'readable_time' when you search the sourcetype.
-----
An upvote would be appreciated if it helps!
Based on the epoch time value you provided, I am assuming it is with nano seconds.
If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds.
If it is not _time, You can create a calculated field using something like this
strftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")
If you are doing it in search:
| eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")
Hi @islam
Search-time conversion, You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.
Then inside props.conf, place this conf on Search Head, $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.
[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")
A new filed will get added as 'readable_time' when you search the sourcetype.
-----
An upvote would be appreciated if it helps!