Splunk Search

Why does SPLUNK show Date as a number?

hylee
Explorer

Why does SPLUNK show Date as a number?

For example, data(DATETIME) in a table is "2013-12-09 18:06:12". but in SPLINK, it shows "1386579972.000".

SPLUNK doesn't read DATETIME format? or why?
I don't want to change the DB table..

Is there any way to correct in SPLUNK? help me..
I hope to see the data(DATETIME) as a date in SPLUNK..

Tags (3)
0 Karma

hylee
Explorer

oh~ thank you so much

0 Karma

aholzer
Motivator

Like @Ayn says, your field will be stored as an epoch time. You can then use the convert command or the strftime eval function to convert your field into a human readable format. Like so:

| convert ctime(date) as human_readable_date
or
| eval human_readable_date=strftime(date,"%Y-%m-%d %H:%M:%S")

Hope this helps

Ayn
Legend

"1386579972" IS the date, it's just in another format - specifically, it's epoch, which is the number of seconds since January 1st 1970 00:00. You could check this yourself by using something like http://www.epochconverter.com/ .

I don't understand what the problem is. Splunk will parse this and set the correct timestamp, so what is the issue you're running into?

hylee
Explorer

I didn't know that. thank you

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...