Getting Data In

Epoch time stamp delemma - how do I convert the epoch time stamp upon ingestion ?

jcorcorans
Engager

Is there a Regex to convert the epoch to human readable time upon ingestion ?

 

 

[1720450799] Error: Got check result for service 'CPU Usage' on host.
[1720450799] Error: Got check result for service 'Disk Usage var' on host.
[1720450799] Error: Got check result for service 'Disk Usage opt' on host.

Labels (1)
0 Karma
1 Solution

marnall
Motivator

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

Hi @jcorcorans .. one basic query.. do you want to onboard the logs or the logs already onboarded and they contain timestamp in epoch format(for example - 1720450799)


using the props.conf, during the data onboarding/ingestion, we can specify which field got the timestamp and its format. so splunk will read the timestamp and the logs fine.  (the timestamp internal to splunk is epoch time format. when displaying on search results, Splunk converts the timestamp to human readable format)

once you have ingested/onboarded the logs, and the timestamp is still showing as epoch format, then, you can use convert functions. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

TIME_FORMAT = [%s]
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jcorcorans ,

as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display.

If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion:

<your_search>
| rex "\[(?<epoch_timestamp>\d+)\]"
| eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

marnall
Motivator

Regex does not convert the epoch time, but it can extract the time for further conversion.

If those logs are taken from a single log file, then Splunk will by default put each line in a separate event and most likely guess the epoch as the timestamp. Then the timestamp (_time) will be human-readable in the event view, or it can be made human-readable using ctime()

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...