Is there a Regex to convert the epoch to human readable time upon ingestion ?
[1720450799] Error: Got check result for service 'CPU Usage' on host.
[1720450799] Error: Got check result for service 'Disk Usage var' on host.
[1720450799] Error: Got check result for service 'Disk Usage opt' on host.
Regex does not convert the epoch time, but it can extract the time for further conversion.
If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()
Hi @jcorcorans .. one basic query.. do you want to onboard the logs or the logs already onboarded and they contain timestamp in epoch format(for example - 1720450799)
using the props.conf, during the data onboarding/ingestion, we can specify which field got the timestamp and its format. so splunk will read the timestamp and the logs fine. (the timestamp internal to splunk is epoch time format. when displaying on search results, Splunk converts the timestamp to human readable format)
once you have ingested/onboarded the logs, and the timestamp is still showing as epoch format, then, you can use convert functions.
Try something like this
TIME_FORMAT = [%s]
Hi @jcorcorans ,
as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display.
If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion:
<your_search>
| rex "\[(?<epoch_timestamp>\d+)\]"
| eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")
Ciao.
Giuseppe
Regex does not convert the epoch time, but it can extract the time for further conversion.
If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()