Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert 18 character epoch time to format so Splunk understands without thinking events happened in future?

jhampton3rd
Explorer
‎09-12-2016 06:37 AM

I have a dashboard that shows the status of certain logs reporting to Splunk. Within this dashboard, it also shows the last time an event was sent. Most of my log sources reports in 12 character Epoch time but I do have a few that reports in 18 character epoch time. For the ones that report in 18 characters, Splunk thinks that these events are happening in the future. Is there a way to fix this so that Splunk understands the 18 characters?

The source for the dashboard is the following:

| metadata index=* type=sourcetypes | stats max(lastTime) as lastEvent by sourcetype | convert ctime(*Event) | search sourcetype!="*too_small"  | search  ( **OMITTED** )   | eval LastEventEpoch = lastEvent | eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval nowEpoch=now() | eval diff = nowEpoch - lastEventEpoch| eval diff=if(diff>0, diff, 0)  | eval status=case(diff >= 1 AND diff <=1800, "RUNNING", diff > 1801, "DOWN", diff=0, "OFFLINE/EVENT IN THE FUTURE") | sort - status| rename sourcetype AS Sourcetype, lastEvent AS "Last Seen Event", status AS Status | table Sourcetype, "Last Seen Event", Status

Thanks for your help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tmarlette
Motivator
‎09-13-2016 11:29 AM

Try using regex to peel out the first 12 digits of your time. something like this:

| rex field=_time "(?<_time>\d{12})"

View solution in original post

Reply
Solved! Jump to solution
Solution

tmarlette
Motivator
‎09-13-2016 11:29 AM

Try using regex to peel out the first 12 digits of your time. something like this:

| rex field=_time "(?<_time>\d{12})"
Reply
Solved! Jump to solution

jhampton3rd
Explorer
‎09-13-2016 11:50 AM

Thanks!!!! This fixed the issue!!!

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎09-12-2016 10:01 AM

Instead of 

eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S")

You might try

eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval lastEventEpoch_s = strftime(lastEventEpoch, "%s") | eval  lastEventEpoch_rnd = round(lastEventEpoch_s/1000)

Then use the new field lastEventEpoch_rnd in your comparison.
In theory, the strptime will convert the string into a time. The strftime will change the time format to epoch. The round will take the time/1000 and basically remove the microseconds.

0 Karma
Reply
Solved! Jump to solution

jhampton3rd
Explorer
‎09-13-2016 11:49 AM

Thanks for your help. Using regex to peel the first 12 characters did the trick.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-12-2016 07:50 AM

Can you post some sample events where you get 18 character epoch timestamp?

0 Karma
Reply
Solved! Jump to solution

jhampton3rd
Explorer
‎09-13-2016 11:51 AM

Using regex to strip the first 12 characters fixed the issue. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...