Splunk Search

Easy Epoch time transformation

nkrestakos
Engager

I have a lot of DB Connect inputs connecting to MS SQL databases. a lot of the data i am pulling from these inputs have multiple date/time fields. Ususally one of the fields is my output timestamp and that will get read correctly. The other date/time fields will end up being converted by splunk to Epoch time. would i need a stanza in props.conf to address this and if so would i need to identify the fields in the stanza?

Tags (3)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

If you want the other timestamp fields left alone, you can probably achieve that in SQL. You can cast the column from a TIMESTAMP type to a VARCHAR type. I would be careful, though, of timezone issues with doing this.

Alternately, you could use calculated fields to reproduce human readable times.

0 Karma

bambarit
Explorer

any tutorial for doing this one?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...