Security

Change epoc time to human readable format

islam
Explorer

Hi,

i have indexed logs with epoc time format in the raw event like 1623070612620000000,

and this time field is parsed in this format also.

i want to convert this time format to human readable one in permanent way, how can i do that ?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

View solution in original post

0 Karma

rupkumar4sec
Path Finder

Based on the epoch time value you provided, I am assuming it is with nano seconds.


If it is _time, you can add TIME_FORMAT = %s%9N in your props.conf for telling Splunk that timestamp is in epoch form with nanoseconds.

If it is not _time, You can create a calculated field using something like this
strftime(timefield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")

If you are doing it in search:
| eval timefield=strftime(tiemfield/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")


0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @islam 

Search-time conversion,  You have to first extract the epoc into a field_name. For example if you have extracted to field_name - epoc_time.

Then inside props.conf, place this conf on Search Head,  $SPLUNK_HOME/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local.

[your_sourcetype]
EVAL-readable_time=strftime(epoc_time/pow(10,9), "%d-%m-%YT%H:%M:%S.%3Q")

 A new filed will get added as 'readable_time' when you search the sourcetype. 

-----

An upvote would be appreciated if it helps!

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...