Getting Data In

Epoch time stamp delemma - how do I convert the epoch time stamp upon ingestion ?

jcorcorans
Engager

Is there a Regex to convert the epoch to human readable time upon ingestion ?

 

 

[1720450799] Error: Got check result for service 'CPU Usage' on host.
[1720450799] Error: Got check result for service 'Disk Usage var' on host.
[1720450799] Error: Got check result for service 'Disk Usage opt' on host.

Labels (1)
0 Karma
1 Solution

marnall
Motivator

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

Hi @jcorcorans .. one basic query.. do you want to onboard the logs or the logs already onboarded and they contain timestamp in epoch format(for example - 1720450799)


using the props.conf, during the data onboarding/ingestion, we can specify which field got the timestamp and its format. so splunk will read the timestamp and the logs fine.  (the timestamp internal to splunk is epoch time format. when displaying on search results, Splunk converts the timestamp to human readable format)

once you have ingested/onboarded the logs, and the timestamp is still showing as epoch format, then, you can use convert functions. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

TIME_FORMAT = [%s]
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jcorcorans ,

as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display.

If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion:

<your_search>
| rex "\[(?<epoch_timestamp>\d+)\]"
| eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

marnall
Motivator

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...