1 Solution
Are you sure 1477292160453180 is milliseconds and not microseconds?
In any case, try the following instead:
| rex field=_raw "Timestamp:\s(?<request_time_secs>\d+)(?<request_time_microsecs>\d{6})\s(?<response_time>\d+)"
| eval request_time = toNumber(request_time_secs + "." + request_time_microsecs)
| fieldformat request_time = strftime(request_time, "%Y-%m-%d %H:%M:%S.%6N")
| eval _time = request_time
Example:
| stats count | fields - count
| eval request_time = 1477292160453180
| rex field=request_time "(?<request_time_secs>\d+)(?<request_time_microsecs>\d{6})"
| eval request_time = toNumber(request_time_secs + "." + request_time_microsecs)
| fieldformat request_time = strftime(request_time, "%Y-%m-%d %H:%M:%S.%6N")
| eval _time = request_time
Output (see picture below):
Are you sure 1477292160453180 is milliseconds and not microseconds?
In any case, try the following instead:
| rex field=_raw "Timestamp:\s(?<request_time_secs>\d+)(?<request_time_microsecs>\d{6})\s(?<response_time>\d+)"
| eval request_time = toNumber(request_time_secs + "." + request_time_microsecs)
| fieldformat request_time = strftime(request_time, "%Y-%m-%d %H:%M:%S.%6N")
| eval _time = request_time
Example:
| stats count | fields - count
| eval request_time = 1477292160453180
| rex field=request_time "(?<request_time_secs>\d+)(?<request_time_microsecs>\d{6})"
| eval request_time = toNumber(request_time_secs + "." + request_time_microsecs)
| fieldformat request_time = strftime(request_time, "%Y-%m-%d %H:%M:%S.%6N")
| eval _time = request_time
Output (see picture below):
