Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert epoch time with milliseconds into splunk at indexing time

vrmandadi
Builder
‎03-26-2020 09:26 AM

I have a file that I am monitoring has time in epoch format milliseconds .What setting should be placed in the props.conf to convert it to human readable

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2020 09:44 AM

You don't want to convert timestamps to human-readable format at index time because a human is not reading the timestamp at index time. Use TIME_FORMAT = %s%3N to tell Splunk the timestamp is in epoch form with milliseconds. Remember to set TIME_PREFIX properly.

Do the conversion to human-readable format at search time. Do so using fieldformat as late as possible in the query.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-26-2020 09:45 AM

Use INGEST_EVAL in transforms.conf on indexers:

props.conf

[mysourcetype]
TRANSFORMS = myeval

transforms.conf

[myeval]
INGEST_EVAL = human_readable_field = strftime(epoch_field_from_data, "%m-%d-%Y %H:%M:%S.%3N")

And on search heads add this field in fields.conf so that users can search this field.
fields.conf 

[human_readable_field]
INDEXED = True
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2020 09:44 AM

You don't want to convert timestamps to human-readable format at index time because a human is not reading the timestamp at index time. Use TIME_FORMAT = %s%3N to tell Splunk the timestamp is in epoch form with milliseconds. Remember to set TIME_PREFIX properly.

Do the conversion to human-readable format at search time. Do so using fieldformat as late as possible in the query.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-26-2020 01:22 PM

Thank you @richgalloway .What time format do I need to set for events which have Mar 25, 21:43 UTC as timestamp

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2020 02:04 PM

%b %d, %H:%M:%S %Z. See the "Date and time format variables" section of the Search Reference manual.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎03-26-2020 02:14 PM

Thank You.

0 Karma
Reply
Get Updates on the Splunk Community!