Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Epoch Time as readable time format using props.conf

SplunkDash
Motivator
‎08-17-2024 03:53 PM

Hello,

I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:

[myprops]

SHUOLD_LINEMERGE=false

LINE_BREAK=([\r\n]+)

TIME_PREFIX="timestamp":

TIME_FORMAT=%s%3N

Sample Events:

{"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"}

{"id":"A307", "timestamp":1723933915610","message":"average time to hold process"}

{"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"}

Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
li.common.scroll-to.top