Hi everyone,
I use the following eval expression to convert epoch time to human readable format when I search:
... | eval formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")
*old_time = time in epoch format.
Is it possible to do it permanent ?
I mean- To calculation it automatically and not use all the time with the above search ?
Yes, Splunk supports this via a feature called "calculated fields" in props.conf. To do this for a source type called my_custom it would look like this
[my_custom]
EVAL-formatted_time=strftime(old_time/1000, "%H:%M:%S %d-%m-%Y")
you can also find it in the UI under fields > calculated fields.
I tried to set it under $SPLUNK_HOME/etc/apps/search/local/props.conf but no works for me 😞
@bugnet, what does the props look like? You may want to implement it in the UI per yannK's comments (In "Settings" menu).
define it in props.conf