Solved: How to convert epoch to human readable format at i...

donaldwayne1975 · ‎03-19-2020

Event data has multiple time values in the Epoch time format. I am able to convert the one used for event timestamp without issue. Having trouble with the eval statements in props.conf to convert the additional fields to a human-readable time for indexing.

example of times in the event (referenced as time.event, time.receive, and time.report)

example of EVAL statements

martin_mueller · ‎03-19-2020

eval considers the dot to be a concatenation operator, use strptime('time.report', "...") - the single quotes will tell eval "this is a field name, even if it contains operators and other non-standard characters".

View solution in original post

martin_mueller · ‎03-19-2020

eval considers the dot to be a concatenation operator, use strptime('time.report', "...") - the single quotes will tell eval "this is a field name, even if it contains operators and other non-standard characters".

donaldwayne1975 · ‎03-19-2020

eureka! knew it was something small I was missing. changed it to strftime to work correctly.

martin_mueller · ‎03-19-2020

Right, strftime 🙂

For posterity and future generations of googlers, this is search time, not index time.

How to convert epoch to human readable format at index time for multiple time values?

eval

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!