Splunk Search

How to convert epoch timestamp to readable date format?

tattoostreet
Engager

Hi,

I am browsing information on one of our ticketing server databases, however, when I try to show table contents, it shows a weird format of date like the one below. Can anyone help how I can fix this? Thanks!

SystemLogID: 1713

CreatedDate: 1405343596.040

UserID: XX

Actions: XX

IsActive: XX

TicketID: XXXX

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

That's an epoch timestamp, seconds.milliseconds since 1970. You can convert that to a readable format by appending this to your search:

... | fieldformat CreatedDate = strftime(CreatedDate, "%F %T.%3N")

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

That's an epoch timestamp, seconds.milliseconds since 1970. You can convert that to a readable format by appending this to your search:

... | fieldformat CreatedDate = strftime(CreatedDate, "%F %T.%3N")

sunnyparmar
Communicator

Thanks.. It's work in my case..

0 Karma

bluemarvel
Path Finder

works thank you

0 Karma

brigancc
Explorer

My Epoch timestamp was something like this

StartTime=1449559286189
EndTime=1449577678580

So dividing it by 1000 did the trick

eval StartTime=StartTime/1000, EndTime=EndTime/1000 | fieldformat StartTime=strftime(StartTime, "%F %T.%3N") | fieldformat EndTime=strftime(EndTime, "%F %T.%3N")

muralianup
Communicator

Or you can create a macro as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...