Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to convert TAI64N to human readable format

ranandeshi
New Member
‎04-18-2025 06:23 AM

Hello,

I would like some help to convert the TAI64N format to "%m/%d/%Y %H:%M:%S", I tried to use following query:

| makeresults
| eval identifier="@4000000068022d4b072a211c"
| eval tai64n_hex = substr(identifier, 2)
| eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16)
| eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16)
| eval tai64_milliseconds = round(tai64_nanoseconds / 1000000, 3)
| eval formatted_time = strftime(tai64_seconds, "%m-%d-%Y %H:%M:%S") . "." . printf("%03d", round(tai64_milliseconds, 0))
| table formatted_time

But the value that's returning is incorrect, sometime the time ~5 seconds beyond the _time and sometime it's ~5 seconds behind the _time. I don't see the precise value being shown.

The formatted_time should give me an output "2025-04-18 10:45:21.120" but i get this "04-18-2025 10:40:00.120"

Can someone assist me on this?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-18-2025 08:05 AM

Hi

To accurately convert TAI64N to a human-readable timestamp in Splunk, you need to:

    • Subtract the TAI64 epoch offset (0x4000000000000000) from the first 16 hex digits (seconds)
    • Add the nanoseconds (next 8 hex digits) as a fractional part
    • Format the result using strftime and printf

Here's the corrected SPL:

| makeresults
| eval identifier="@4000000068022d4b072a211c"
| eval tai64n_hex = substr(identifier, 2)
| eval tai64_seconds = tonumber(substr(tai64n_hex, 1, 16), 16) - tonumber("4000000000000000", 16)
| eval tai64_nanoseconds = tonumber(substr(tai64n_hex, 17, 8), 16)
| eval tai64_epoch = tai64_seconds + (tai64_nanoseconds / 1000000000)
| eval formatted_time = strftime(tai64_epoch, "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round((tai64_nanoseconds/1000000),0))
| table formatted_time

tai64_seconds extracts and normalises the seconds since Unix epoch.

tai64_nanoseconds extracts the nanoseconds.

tai64_epoch combines seconds and fractional seconds.

strftime formats the timestamp, and printf ensures milliseconds are zero-padded.

Note:

    • TAI64N timestamps are based on TAI, not UTC. TAI is ahead of UTC by a number of leap seconds (currently 37). Splunk and most systems use UTC, so your converted time may be offset by this difference.
    • If you need exact UTC, subtract the current TAI-UTC offset (e.g., 37 seconds) from tai64_epoch

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-18-2025 07:28 AM

If I understand correctly, TAI64 time scale does not align completely with UTC time scale, so you can expect inaccuracies when trying to convert TAI64 seconds to UTC. There are python modules around which do these conversions, so you might need to write or find a custom command to handle this conversion for you.

0 Karma
Reply

ranandeshi
New Member
‎04-18-2025 07:45 AM

okay, thank you for your reply, Is it possible to parse TAI64N timestamp while indexing, if so, How can we do it?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-18-2025 08:14 AM

Hi @ranandeshi 

I've posted an updated SPL directly on the question, but you can make this a single EVAL with:

| eval formatted_time = strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0))

This means you could possible use INGEST_EVAL to overwrite the _time field:

== props.conf ==
[yourSourcetype]
TRANSFORMS-taiTime = taiTimeExtract

== transforms.conf ==
[taiTimeExtract]
INGEST_EVAL = _time:=strftime((tonumber(substr(identifier,2,16),16) - tonumber("4000000000000000",16) + tonumber(substr(identifier,18,8),16) / 1000000000), "%Y-%m-%d %H:%M:%S") . "." . printf("%03d", round(tonumber(substr(identifier,18,8),16) / 1000000, 0))

 However this assumes "identifier" is a field it can eval against. You might need to extract this first.

Do you have a sample event I can work on to help or is this enough to get you started?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...