Splunk Search

Convert Epoch Time to Human Readable Date formatting issue

New Member

I have following Splunk Query which is trying to format Epoch captured start and end time into human readable format but seems like splunk is pulling incorrect value here...

index=wd_test source=*-1.0.0.log | fieldformat c_start=strftime(start,"%m/%d/%Y %H:%M:%S") | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(end) as c_end | eval duration=(end-start)/1000|table start, c_start, end, c_end , duration, sla

I am getting following Result as part of executing above query

start   c_start end c_end   duration    sla

1 1430167363808 12/31/9999 23:59:59 1430167364085 12/31/9999 23:59:59 0.277000 2
2 1430167236667 12/31/9999 23:59:59 1430167236856 12/31/9999 23:59:59 0.189000 2

alt text

Can someone help me here to resolve this issue ? I tried 2 different approaches here but none of them working.

Using following Online Epoch formatted tool i am able to convert successfully but not using Splunk....

http://www.freeformatter.com/epoch-timestamp-to-date-converter.html

0 Karma
1 Solution

Motivator

I do not blame the search. It has something to do with the epoch time : 1430167363808 and 1430167236667 (13 digits) are milli seconds the culprit?

I just converted 2015-05-08 22:21:09 to epoch and the value is 1431138069 (10 digits). Something is not right with the digits 🙂

Thanks,
Raghav

View solution in original post

0 Karma

New Member

I tried to read online someone posted already similar question but there isn't any solution posted on this question too..... None of the answers from this post is working for me.

http://answers.splunk.com/answers/150053/how-to-convert-epoch-time-to-human-readable-format-in-searc...

0 Karma

Motivator

I do not blame the search. It has something to do with the epoch time : 1430167363808 and 1430167236667 (13 digits) are milli seconds the culprit?

I just converted 2015-05-08 22:21:09 to epoch and the value is 1431138069 (10 digits). Something is not right with the digits 🙂

Thanks,
Raghav

View solution in original post

0 Karma

New Member

This Online Converter able to convert successfully. Without any issues here.

Try using this provided epoch time.
1430167363808 or 1430167236667 it is able to convert it successfully.

http://www.freeformatter.com/epoch-timestamp-to-date-converter.html

0 Karma

New Member

Yes 13 Digits is not supported by Splunk only 10 Digits with EPOCH is supported by Splunk API. As i couldn't able to work with 13 Digits and when i changed form 13 Digits to 10 Digits it worked out well for me.

0 Karma