Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to Convert Epoch Time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running the below query to find out when was the last time an index checked in. However, in using this query the output reflects a time format that is in EPOC format. I'd like to convert it to a standard month/day/year format. Any help is appreciated. Thank you.
| tstats latest(_time) WHERE index=* BY index- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several ways to do that.
Start with | tstats latest(_time) as time WHERE index=* BY index then add your choice of
| eval time = strftime(time, "%c")
| convert ctime(time)
| fieldformat time = strftime(time, "%c")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
month/day/year format is %x
but
| tstats latest(_time) as _time WHERE index=* BY index
This is enough.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several ways to do that.
Start with | tstats latest(_time) as time WHERE index=* BY index then add your choice of
| eval time = strftime(time, "%c")
| convert ctime(time)
| fieldformat time = strftime(time, "%c")
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=prd* /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/*/applications/submissionView "includeHomeInsuranceDetails=Y" ssl_client_verify= SUCCESS|table request, time|eval time = strftime(time, "%c")
Result:
| GET /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/SUB501460231068589/applications/submissionView?brandSilo=ANZYU&includeHomeInsuranceDetails=Y HTTP/1.1 | Sun Mar 26 08:09:28 2023 |
| GET /inf/bnkng/evnt/arrngmntorigevnt/consumr/mrtgeorig/v1/submissions/SUB503765231068589/applications/submissionView?brandSilo=ANZYD&includeHomeInsuranceDetails=Y HTTP/1.1 | Sun Mar 26 08:28:09 2023 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the following worked:
| tstats latest(_time) as time WHERE index=* BY index
| eval time=strftime(time, "%c")
Thank you!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
