Hi folks,
Instead of using the _time to convert the Epoch time into something more readable. I want to use deviceCustomDate1, as it is a device detect time which is more useful. Problem is, all my timestamps ruturn 31 DEC 9999 as the date. I think this is due to the deviceCustomDate1 field being 13 digits instead of the usual 10, since the miliseconds are tracked. How can I get these 13-digit timestamps to eval using the strftime function?
Divide the timestamp by 1000 before strftime()
'ing it.
But dividing it by 1000 makes it less accurate. Isn't there a way to convert it but also keep the miliseconds.
I found a post that in splunk it's only possible to convert 10 digits timestamp. But that post is from 2015. Hope splunk has more possibilities now
Elegant! I was overthinking it lol. I was thinking a props.conf edit!