Splunk Search

How to convert epoch time with milliseconds into splunk at indexing time

Builder

I have a file that I am monitoring has time in epoch format milliseconds .What setting should be placed in the props.conf to convert it to human readable

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You don't want to convert timestamps to human-readable format at index time because a human is not reading the timestamp at index time. Use TIME_FORMAT = %s%3N to tell Splunk the timestamp is in epoch form with milliseconds. Remember to set TIME_PREFIX properly.

Do the conversion to human-readable format at search time. Do so using fieldformat as late as possible in the query.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Influencer

Use INGEST_EVAL in transforms.conf on indexers:

props.conf

[mysourcetype]
TRANSFORMS = myeval

transforms.conf

[myeval]
INGEST_EVAL = human_readable_field = strftime(epoch_field_from_data, "%m-%d-%Y %H:%M:%S.%3N")

And on search heads add this field in fields.conf so that users can search this field.
fields.conf

[human_readable_field]
INDEXED = True
0 Karma

SplunkTrust
SplunkTrust

You don't want to convert timestamps to human-readable format at index time because a human is not reading the timestamp at index time. Use TIME_FORMAT = %s%3N to tell Splunk the timestamp is in epoch form with milliseconds. Remember to set TIME_PREFIX properly.

Do the conversion to human-readable format at search time. Do so using fieldformat as late as possible in the query.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Builder

Thank you @richgalloway .What time format do I need to set for events which have Mar 25, 21:43 UTC as timestamp

0 Karma

SplunkTrust
SplunkTrust

%b %d, %H:%M:%S %Z. See the "Date and time format variables" section of the Search Reference manual.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

Thank You.

0 Karma