I need to convert the _time to epoch time. How is this done? Here is my time format and my cell is "_time".
I have tried in the search box the following line.
| eval epoch1=strptime(_time,"%m/%d/%y %I:%M:%N %p")
_time
6/27/19
2:29:09.000 PM
6/27/19
3:29:09.000 PM
6/27/19
5:29:09.000 PM
Thank you!
HI @Becherer ,
_time
is always stored in the Splunk indexes as an epoch time value. When you use _time
in a search, Splunk assumes you want to see a human-readable time value, instead of an epoch time number of seconds. It also assumes that you want to see this human readable time value in the current time zone of the user account that is currently logged in.
If you want to see the actual epoch time value, you can use eval to create an epoch time representation instead:
| eval time_epoch = strftime(_time, "%s")
As @mdsnmss suggested, you could also do
| eval epoch1 = _time
I hope this helps.
| eval epoch1=_time
@mdsnmss
I tried that but it still is showing the same. Do I need to change the %s?
You are trying to get the field _time itself to display epoch? What is the full search? I don't believe you can actually overwrite _time so have to use the other field to display epoch.
One thing I forgot is _time actually is already in epoch but just displayed human readable in Splunk UI. All you would need is | eval epoch1=_time
I have tried both but cant seem to change the field. could I display the epoch time in a differet column?
index=EventEndpoint
| eval date=strftime(date,"%c")
And
index=EventEndpoint
| eval epoch1=_time
What are you using to display the data? Those base searches will only return raw results and not a stats/visualization. index=EventEndpoint | eval date=_time | table date _time
will show you the time in both epoch and human readable time.
@mdsnmss
I have tried both but cant seem to change the field. could I display the epoch time in a differet column?
index=EventEndpoint
| eval date=strftime(date,"%c")
And
index=EventEndpoint
| eval epoch1=_time