Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Epoch Time as readable time format using props.conf

SplunkDash
Motivator
‎08-17-2024 03:53 PM

Hello,

I have events with epoch time. How can I extract epoch time in human readable format using props.conf. My props.conf file is provided below:

[myprops]

SHUOLD_LINEMERGE=false

LINE_BREAK=([\r\n]+)

TIME_PREFIX="timestamp":

TIME_FORMAT=%s%3N

Sample Events:

{"id":"A303", "timestamp":1723933920339","message":"average time to transfer file"}

{"id":"A307", "timestamp":1723933915610","message":"average time to hold process"}

{"id":"A309", "timestamp":1723933735652","message":"average time to transfer file"}

Extracted time should be: YYYY-mm-ddTHH:MM:SS.3N 

 

 

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2024 05:06 PM

Your existing props.conf settings are good for telling Splunk how to extract _time from the events.  Don't try to put _time into human-readable format.  That's done automatically at search time.  Forcing it at ingest time will break how Splunk stores and retrieves events.

If you need another field to contain a human-readable form of _time then do it at search time using EVAL in props.conf.

[myprops]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = "timestamp":
TIME_FORMAT = %s%3N
EVAL-timestamp = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3N")

This applies to all apps, not just Enterprise Security

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...