Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Epoch Time as readable time format using props.conf

SplunkDash
Motivator
‎08-17-2024 03:53 PM

Hello,

I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:

[myprops]

SHUOLD_LINEMERGE=false

LINE_BREAK=([\r\n]+)

TIME_PREFIX="timestamp":

TIME_FORMAT=%s%3N

Sample Events:

{"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"}

{"id":"A307", "timestamp":1723933915610","message":"average time to hold process"}

{"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"}

Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...