Solved: Time conversion

Nith1 · ‎05-28-2021

Hi Team

I have the time in this format "startTime":1606406489009 i wanted to convert it to date-month-year hour-seconds can someone please help me with the query

ITWhisperer · ‎05-31-2021

Not sure whether there is another question here - the rex extracts the digits as a number, the number represents milliseconds since epoch, time is usually stored as seconds since epoch so divide this number by 1000, this can be done with all your events with this format for time, to display in human-readable format use fieldformat with the appropriate settings.

View solution in original post

ITWhisperer · ‎05-28-2021

| makeresults
| eval _raw="\"startTime\":1606406489009"
| rex "startTime\":(?<time>\d+)"
| eval seconds=time/1000
| fieldformat seconds=strftime(seconds,"%Y-%m-%d %H:%M:%S.%Q")

Nith1 · ‎05-31-2021

Hi @ITWhisperer

Thanks for the reply its working, but if we have all the logs with same kind for starttime how can we resolve that

Thanks

ITWhisperer · ‎05-31-2021

Not sure whether there is another question here - the rex extracts the digits as a number, the number represents milliseconds since epoch, time is usually stored as seconds since epoch so divide this number by 1000, this can be done with all your events with this format for time, to display in human-readable format use fieldformat with the appropriate settings.

isoutamo · ‎05-28-2021

You could found explanations for those variables here: https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Commontimeformatvariables

Time conversion

timechart

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team