Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert Epoch Time to Human Readable Date formatting issue

daivish
Explorer
‎05-12-2015 03:29 PM

I have following Splunk Query which is trying to format Epoch captured start and end time into human readable format but seems like splunk is pulling incorrect value here...

index=wd_test source=*-1.0.0.log | fieldformat c_start=strftime(start,"%m/%d/%Y %H:%M:%S") | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(end) as c_end | eval duration=(end-start)/1000|table start, c_start, end, c_end , duration, sla

I am getting following Result as part of executing above query 

start   c_start end c_end   duration    sla

1 1430167363808 12/31/9999 23:59:59 1430167364085 12/31/9999 23:59:59 0.277000 2
2 1430167236667 12/31/9999 23:59:59 1430167236856 12/31/9999 23:59:59 0.189000 2

alt text

Can someone help me here to resolve this issue ? I tried 2 different approaches here but none of them working.

Using following Online Epoch formatted tool i am able to convert successfully but not using Splunk....

http://www.freeformatter.com/epoch-timestamp-to-date-converter.html

2015-05-12_1523.png
Preview file
23 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎05-12-2015 04:02 PM

I do not blame the search. It has something to do with the epoch time : 1430167363808 and 1430167236667 (13 digits) are milli seconds the culprit?

I just converted 2015-05-08 22:21:09 to epoch and the value is 1431138069 (10 digits). Something is not right with the digits 🙂

Thanks,
Raghav

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dkblinux98
Loves-to-Learn Lots
‎02-13-2022 09:21 AM

I have a 13 digit epoch time and I can covert it with:

eval start_time=strftime((start/1000), "%m-%d-%Y %H:%M:%S.%3N"), end_time=strftime((end/1000), "%m-%d-%Y %H:%M:%S.%3N")

0 Karma
Reply
Solved! Jump to solution

daivish
Explorer
‎05-12-2015 05:01 PM

I tried to read online someone posted already similar question but there isn't any solution posted on this question too..... None of the answers from this post is working for me.

http://answers.splunk.com/answers/150053/how-to-convert-epoch-time-to-human-readable-format-in-searc...

0 Karma
Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎05-12-2015 04:02 PM

I do not blame the search. It has something to do with the epoch time : 1430167363808 and 1430167236667 (13 digits) are milli seconds the culprit?

I just converted 2015-05-08 22:21:09 to epoch and the value is 1431138069 (10 digits). Something is not right with the digits 🙂

Thanks,
Raghav

0 Karma
Reply
Solved! Jump to solution

daivish
Explorer
‎05-12-2015 04:07 PM

This Online Converter able to convert successfully. Without any issues here.

Try using this provided epoch time.
1430167363808 or 1430167236667 it is able to convert it successfully.

http://www.freeformatter.com/epoch-timestamp-to-date-converter.html

0 Karma
Reply
Solved! Jump to solution

daivish
Explorer
‎05-14-2015 05:54 PM

Yes 13 Digits is not supported by Splunk only 10 Digits with EPOCH is supported by Splunk API. As i couldn't able to work with 13 Digits and when i changed form 13 Digits to 10 Digits it worked out well for me.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top