I would like to ask a doubt:
for the following time format, we can use the following timestamp, just for an example
time format:2020-11-09 11:20:35
timestamp:%Y-%m-%d %H:%M:%S
here is my doubt
for the following 13 digit epoch time format which timestamp can we use?
time format:1589479343000
timestamp:?
working on the Eventgen app to generate the 13 digit epoch time.
Thanks in Advance
HI
Did you get an answer to this?
I am also trying to generate data in epoch, but not sure how to do it
Any help would be great thanks
Rob
In general epoch time can be converted using strftime and any time format
e.g
formatted=strftime(1589479343000,"%Y-%m-%d %H:%M:%S")
Does that work ?
Hi @renjith_nair ,
thank you for your reply,
Actually, I'm not trying to convert the epoch time. I need it as in the epoch time format.
I'd like to generate epoch time in the same format(1589479343000) so I just need the timestamp for that specified epoch time(if it is possible).
I'd like to generate multiple events in the Eventgen app, so I need the timestamp to generate epoch time.
not the conversion of any time format.
I have a data like this :"$date": 1589530298000
to generate more data in Eventgen App I used the token like this
token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = ?
what should I add in the token.2.replacement= to get the epochtime.
Thank you
Sorry, not sure if I have got it correctly.
So you have an epoch as part of your data which is in the format "$date": 1589530298000
Do you want to replace it with or convert? If you do not want to replace , just dont add anything to the replacement.
token.<n>.replacement = <string> | <strptime> | ["list","of","strptime"] | guid | ipv4 | ipv6 | mac | integer[<start>:<end>] | float[<start>:<end>] | string(<i>) | hex(<i>) | list["list", "of", "values"] | <replacement file name> | <replacement file name>:<column number> | <integer>
* 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
* For <string>, the token will be replaced with the value specified.
* For <strptime>, a strptime formatted string to replace the timestamp with
* For ["list","of","strptime"], only used with replaytimestamp, a JSON formatted list of strptime
formats to try. Will find the replace with the same format which matches the replayed timestamp.
* For guid, the token will be replaced with a random GUID value.
* For ipv4, the token will be replaced with a random valid IPv4 Address (i.e. 10.10.200.1).
* For ipv6, the token will be replaced with a random valid IPv6 Address (i.e. c436:4a57:5dea:1035:7194:eebb:a210:6361).
* For mac, the token will be replaced with a random valid MAC Address (i.e. 6e:0c:51:c6:c6:3a).
* For integer[<start>:<end>], the token will be replaced with a random integer between
start and end values where <start> is a number greater than 0
and <end> is a number greater than 0 and greater than or equal to <start>. If rated,
will be multiplied times hourOfDayRate and dayOfWeekRate.
* For float[<start>:<end>], the token will be replaced with a random float between
start and end values where <end> is a number greater than or equal to <start>.
For floating point numbers, precision will be based off the precision specified
in <start>. For example, if we specify 1.0, precision will be one digit, if we specify
1.0000, precision will be four digits. If rated, will be multiplied times hourOfDayRate and dayOfWeekRate.
* For string(<i>), the token will be replaced with i number(s) of ASCII characters where 'i' is a number greater than 0.
* For hex(<i>), the token will be replaced with i number of Hexadecimal characters [0-9A-F] where 'i' is a number greater than 0.
* For list, the token will be replaced with a random member of the JSON list provided.
* For <replacement file name>, the token will be replaced with a random line in the replacement file.
* Replacement file name should be a fully qualified path (i.e. $SPLUNK_HOME/etc/apps/windows/samples/users.list).
* Windows separators should contain double forward slashes '\\' (i.e. $SPLUNK_HOME\\etc\\apps\\windows\\samples\\users.list).
* Unix separators will work on Windows and vice-versa.
* Column numbers in mvfile or seqfile references are indexed at 1, meaning the first column is column 1, not 0.
* <integer> used as the seed for integerid.
* Defaults to None.
To be more specific @renjith_nair
I've the data like this "$date": 1589530298000
this is an old date epoch time
so I'm trying to replace it with the current date and time same as epoch time format.
for that I used the conf like this
token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = I've no idea what to add here to replace the old epoch time to current date and tiime in epoch time,
I hope you understand.
Thanks in advance
Thank you for your reply @renjith_nair
I want to replace it with the current date and time in epoch time format.
Looks like it depends on the earliest and latest time you configure. So if you are configuring earliest and latest to the recent time (for e. -10m -> now() ) and provide a strptime format, then it should replace the timestamp. Not tested though
Hello @renjith_nair
thanks for your response,
Actually strptime format is the problem, I've used a format like %s but it is only providing 10 digit epoch time instead of 13, and the events are changing from raw data to JSON format automatically.
Timestamp in data e.g. 1589530298000 resolves to a future date due to the tailing zeros. I haven't tried but can't you adjust the regex to capture only the 10 digits and convert them. Sorry I can't think of any other methods