Why does SPLUNK show Date as a number?

hylee · ‎12-09-2013

For example, data(DATETIME) in a table is "2013-12-09 18:06:12". but in SPLINK, it shows "1386579972.000".

SPLUNK doesn't read DATETIME format? or why?
I don't want to change the DB table..

Is there any way to correct in SPLUNK? help me..
I hope to see the data(DATETIME) as a date in SPLUNK..

hylee · ‎12-09-2013

oh~ thank you so much

aholzer · ‎12-09-2013

Like @Ayn says, your field will be stored as an epoch time. You can then use the convert command or the strftime eval function to convert your field into a human readable format. Like so:

| convert ctime(date) as human_readable_date
or
| eval human_readable_date=strftime(date,"%Y-%m-%d %H:%M:%S")

Hope this helps

Ayn · ‎12-09-2013

"1386579972" IS the date, it's just in another format - specifically, it's epoch, which is the number of seconds since January 1st 1970 00:00. You could check this yourself by using something like http://www.epochconverter.com/ .

I don't understand what the problem is. Splunk will parse this and set the correct timestamp, so what is the issue you're running into?

hylee · ‎12-09-2013

I didn't know that. thank you

Why does SPLUNK show Date as a number?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life