Splunk Enterprise Security

Event gen: timestamp for epoch time

Explorer

I would like to ask a doubt:

for the following time format, we can use the following timestamp, just for an example

time format:2020-11-09 11:20:35

timestamp:%Y-%m-%d %H:%M:%S

 

here is my doubt

for the following 13 digit epoch time format which timestamp can we use?

time format:1589479343000

timestamp:? 

working on the Eventgen app to generate the 13 digit epoch time.

 

Thanks in Advance

Labels (1)
0 Karma

SplunkTrust
SplunkTrust

In general epoch time can be converted using strftime and any time format

e.g

formatted=strftime(1589479343000,"%Y-%m-%d %H:%M:%S")

Does that work ?  

Explorer

Hi @renjith_nair ,

thank you for your reply,

Actually, I'm not trying to convert the epoch time. I need it as in the epoch time format.

I'd like to generate epoch time in the same format(1589479343000) so I just need the timestamp for that specified epoch time(if it is possible).

I'd like to generate multiple events in the Eventgen app, so I need the timestamp to generate epoch time.

not the conversion of any time format.

I have a data like this :"$date": 1589530298000

to generate more data in Eventgen App I used the token like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = ?

what should I add in the token.2.replacement=  to get the epochtime.

Thank you

 

0 Karma

SplunkTrust
SplunkTrust

Sorry, not sure if I have got it correctly.

So you have an epoch as part of your data which is in the format "$date": 1589530298000

Do you want to replace it with or convert? If you do not want to replace , just dont add anything to the replacement.

token.<n>.replacement = <string> | <strptime> | ["list","of","strptime"] | guid | ipv4 | ipv6 | mac | integer[<start>:<end>] | float[<start>:<end>] | string(<i>) | hex(<i>) | list["list", "of", "values"] | <replacement file name> | <replacement file name>:<column number> | <integer>
* 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
* For <string>, the token will be replaced with the value specified.
* For <strptime>, a strptime formatted string to replace the timestamp with
* For ["list","of","strptime"], only used with replaytimestamp, a JSON formatted list of strptime
  formats to try. Will find the replace with the same format which matches the replayed timestamp.
* For guid, the token will be replaced with a random GUID value.
* For ipv4, the token will be replaced with a random valid IPv4 Address (i.e. 10.10.200.1).
* For ipv6, the token will be replaced with a random valid IPv6 Address (i.e. c436:4a57:5dea:1035:7194:eebb:a210:6361).
* For mac, the token will be replaced with a random valid MAC Address (i.e. 6e:0c:51:c6:c6:3a).
* For integer[<start>:<end>], the token will be replaced with a random integer between 
  start and end values where <start> is a number greater than 0 
  and <end> is a number greater than 0 and greater than or equal to <start>. If rated,
  will be multiplied times hourOfDayRate and dayOfWeekRate.
* For float[<start>:<end>], the token will be replaced with a random float between
  start and end values where <end> is a number greater than or equal to <start>.
  For floating point numbers, precision will be based off the precision specified
  in <start>. For example, if we specify 1.0, precision will be one digit, if we specify
  1.0000, precision will be four digits. If rated, will be multiplied times hourOfDayRate and dayOfWeekRate.
* For string(<i>), the token will be replaced with i number(s) of ASCII characters where 'i' is a number greater than 0.
* For hex(<i>), the token will be replaced with i number of Hexadecimal characters [0-9A-F] where 'i' is a number greater than 0.
* For list, the token will be replaced with a random member of the JSON list provided.
* For <replacement file name>, the token will be replaced with a random line in the replacement file.
  * Replacement file name should be a fully qualified path (i.e. $SPLUNK_HOME/etc/apps/windows/samples/users.list).
  * Windows separators should contain double forward slashes '\\' (i.e. $SPLUNK_HOME\\etc\\apps\\windows\\samples\\users.list).
  * Unix separators will work on Windows and vice-versa.
* Column numbers in mvfile or seqfile references are indexed at 1, meaning the first column is column 1, not 0.
* <integer> used as the seed for integerid.
* Defaults to None.

 

Explorer

To be more specific @renjith_nair 

I've the data like this "$date": 1589530298000

this is an old date epoch time 

so I'm trying to replace it with the current date and time same as epoch time format.

for that I used the conf like this

token.2.token = "\$date":([^}]+)
token.2.replacementType = timestamp
token.2.replacement = I've no idea what to add here to replace the old epoch time to current date and tiime in epoch time,

I hope you understand.

Thanks in advance

0 Karma

Explorer

Thank you for your reply @renjith_nair 

I want to replace it with the current date and time in epoch time format.

 

0 Karma

SplunkTrust
SplunkTrust

Looks like it depends on the earliest and latest time you configure. So if you are configuring earliest and latest to the recent time (for e. -10m -> now() ) and provide a strptime format, then it should replace the timestamp. Not tested though

Explorer

Hello @renjith_nair 

thanks for your response,

Actually strptime format is the problem, I've used a format like %s but it is only providing 10 digit epoch time instead of 13, and the events are changing from raw data to JSON format automatically.

0 Karma

SplunkTrust
SplunkTrust

Timestamp in data e.g. 1589530298000 resolves to a future date due to the tailing zeros. I haven't tried but can't you adjust the regex to capture only the 10 digits and convert them.  Sorry I can't think of any other methods