Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to convert TAI64N to human readable format

ranandeshi
New Member
‎04-18-2025 06:23 AM

Hello,

I would like some help to convert the TAI64N format to "%m/%d/%Y %H:%M:%S", I tried to use following query:

| makeresults
| eval identifier="@4000000068022d4b072a211c"
| eval tai64n_hex = substr(identifier, 2)
| eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16)
| eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16)
| eval tai64_milliseconds = round(tai64_nanoseconds / 1000000, 3)
| eval formatted_time = strftime(tai64_seconds, "%m-%d-%Y %H:%M:%S") . "." . printf("%03d", round(tai64_milliseconds, 0))
| table formatted_time

But the value that's returning is incorrect, sometime the time ~5 seconds beyond the _time and sometime it's ~5 seconds behind the _time. I don't see the precise value being shown.

The formatted_time should give me an output "2025-04-18 10:45:21.120" but i get this "04-18-2025 10:40:00.120"

Can someone assist me on this?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-18-2025 08:05 AM

Hi

To accurately convert TAI64N to a human-readable timestamp in Splunk, you need to:

    • Subtract the TAI64 epoch offset (0x4000000000000000) from the first 16 hex digits (seconds)
    • Add the nanoseconds (next 8 hex digits) as a fractional part
    • Format the result using strftime and printf

Here's the corrected SPL:

| makeresults
| eval identifier="@4000000068022d4b072a211c"
| eval tai64n_hex = substr(identifier, 2)
| eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16)
| eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16)
| eval tai64_epoch = tai64_seconds + (tai64_nanoseconds / 1000000000)
| eval formatted_time = strftime(tai64_epoch, "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round((tai64_nanoseconds/1000000),0))
| table formatted_time

tai64_seconds extracts and normalises the seconds since Unix epoch.

tai64_nanoseconds extracts the nanoseconds.

tai64_epoch combines seconds and fractional seconds.

strftime formats the timestamp, and printf ensures milliseconds are zero-padded.

Note:

    • TAI64N timestamps are based on TAI, not UTC. TAI is ahead of UTC by a number of leap seconds (currently 37). Splunk and most systems use UTC, so your converted time may be offset by this difference.
    • If you need exact UTC, subtract the current TAI-UTC offset (e.g., 37 seconds) from tai64_epoch

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-18-2025 07:28 AM

If I understand correctly, TAI64 time scale does not align completely with UTC time scale, so you can expect inaccuracies when trying to convert TAI64 seconds to UTC. There are python modules around which do these conversions, so you might need to write or find a custom command to handle this conversion for you.

0 Karma
Reply

ranandeshi
New Member
‎04-18-2025 07:45 AM

okay, thank you for your reply, Is it possible to parse TAI64N timestamp while indexing, if so, How can we do it?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-18-2025 08:14 AM

Hi @ranandeshi 

I've posted an updated SPL directly on the question, but you can make this a single EVAL with:

| eval formatted_time = strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0))

This means you could possible use INGEST_EVAL to overwrite the _time field:

== props.conf ==
[yourSourcetype]
TRANSFORMS-taiTime = taiTimeExtract

== transforms.conf ==
[taiTimeExtract]
INGEST_EVAL = _time:=strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0))

 However this assumes "identifier" is a field it can eval against. You might need to extract this first.

Do you have a sample event I can work on to help or is this enough to get you started?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...