Splunk Search

How to convert _time column to epoch time

Becherer
Explorer

I need to convert the _time to epoch time. How is this done? Here is my time format and my cell is "_time".
I have tried in the search box the following line.

| eval epoch1=strptime(_time,"%m/%d/%y %I:%M:%N %p")

_time

6/27/19
2:29:09.000 PM

6/27/19
3:29:09.000 PM

6/27/19
5:29:09.000 PM

Thank you!

0 Karma
1 Solution

mdsnmss
SplunkTrust
SplunkTrust

| eval epoch1=_time

View solution in original post

0 Karma

jnudell_2
Builder

HI @Becherer ,

_time is always stored in the Splunk indexes as an epoch time value. When you use _time in a search, Splunk assumes you want to see a human-readable time value, instead of an epoch time number of seconds. It also assumes that you want to see this human readable time value in the current time zone of the user account that is currently logged in.

If you want to see the actual epoch time value, you can use eval to create an epoch time representation instead:

 | eval time_epoch = strftime(_time, "%s")

As @mdsnmss suggested, you could also do

 | eval epoch1 = _time

Which also works, because Splunk only makes the human readable assumption for _time, and anything else that you set to _time will be a epoch time value.

I hope this helps.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

| eval epoch1=_time

View solution in original post

0 Karma

Becherer
Explorer

@mdsnmss

I tried that but it still is showing the same. Do I need to change the %s?

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

You are trying to get the field _time itself to display epoch? What is the full search? I don't believe you can actually overwrite _time so have to use the other field to display epoch.

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

One thing I forgot is _time actually is already in epoch but just displayed human readable in Splunk UI. All you would need is | eval epoch1=_time

0 Karma

Becherer
Explorer

I have tried both but cant seem to change the field. could I display the epoch time in a differet column?

index=EventEndpoint
| eval date=strftime(date,"%c")

And

index=EventEndpoint
| eval epoch1=_time

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

What are you using to display the data? Those base searches will only return raw results and not a stats/visualization. index=EventEndpoint | eval date=_time | table date _time will show you the time in both epoch and human readable time.

0 Karma

Becherer
Explorer

@mdsnmss

I have tried both but cant seem to change the field. could I display the epoch time in a differet column?

index=EventEndpoint
| eval date=strftime(date,"%c")

And

index=EventEndpoint
| eval epoch1=_time

0 Karma