Solved: How to configure Time Format from Epoch (13 digits...

lmmills · ‎08-24-2022

I am new to Splunk so please forgive me for what I do not know. We are getting events with start=1661359208771 and need to covert it to a readable timestamp. I have tried changing the below Timestamp format and prefix with no luck. Any suggestions?

richgalloway · ‎08-24-2022

You had the right TIME_FORMAT the first time. These settings should do it.

TIME_PREFIX = start=
TIME_FORMAT = %s%3N

If you need to experiment with ingest settings, try using the Add Data wizard.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-24-2022

You had the right TIME_FORMAT the first time. These settings should do it.

TIME_PREFIX = start=
TIME_FORMAT = %s%3N

If you need to experiment with ingest settings, try using the Add Data wizard.

---
If this reply helps you, Karma would be appreciated.

How to configure Time Format from Epoch (13 digits)?

configuration

using Splunk Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation