Splunk Search
Highlighted

Epoch Search String Multiply

Contributor

Hello!

Can anyone please help me with this Search-String?
I have an Epoch Data inside my query like this:

**index=main StartDate_epoch=* | table StartDate_epoch | eval StartDate_epoch=strftime(StartDate_epoch, "%d/%m/%Y")**

Altough, it shows results like this: 31/12/9999
I saw in a website that we should first multiply the epoch date with 1000, how should I multiply this inside the search-string query?

http://www.epochconverter.com/programming/
Tags (4)
0 Karma
Highlighted

Re: Epoch Search String Multiply

Contributor

I did it in Javascript and it worked, I dunno how to do it in Splunk, look, this is my JS Script for this situation:

<html>
<head>
<title>Test Script</title>
<script>

var StartDate_epoch=strftime = new Date(1410441296607 * 1000);
document.write(StartDate_epoch=strftime.toGMTStriing() + "<br>" + StartDate_epoch=strftime.tolocaleString());

</script>
</head>
<body style="font-size:32px">

</body>
</html>

How do I use this inside the search string??

0 Karma
Highlighted

Re: Epoch Search String Multiply

Hi,

your epoch timestamp is not really epoch, at least it is 3 digits too long. So it has higher resolution than normal epoch. Try this:

index=main StartDate_epoch=* | eval StartDate_epoch=StartDate_epoch/1000 | eval StartDate_epoch=strftime(StartDate_epoch, "%d/%m/%Y")

Here is a helpful "run everywhere" search that you can use to test things like these:

| stats count | eval StartDate_epoch=1410441296607 | eval StartDate_epoch=StartDate_epoch/1000 | eval StartDate_epoch=strftime(StartDate_epoch, "%d/%m/%Y")

View solution in original post

Highlighted

Re: Epoch Search String Multiply

Contributor

For some reason, results are different from the converter web, but close enough I believe, thanks in advance @tom_frotscher!

0 Karma