Solved: How to Convert epoch time to human readable format...

bugnet · ‎05-31-2015

Hi everyone,

I have the following event:

"... src=218.2.3.256 act=block app=ips rt=1433065461040 ...."
The rt field is a epoch computer time format.

Is it possible to convert the "rt" field to a user-friendly format? I searched through some of the other questions but none really addressed this specific question.

Thanks.

Damien_Dallimor · ‎05-31-2015

You can use the eval function strftime

... | eval formatted_time=strftime(rt/1000, "%H:%M:%S %d-%m-%Y")

View solution in original post

Damien_Dallimor · ‎05-31-2015

You can use the eval function strftime

... | eval formatted_time=strftime(rt/1000, "%H:%M:%S %d-%m-%Y")

bugnet · ‎05-31-2015

Does not work for me .
The "formatted_time" always displayed with the same value : 23:59:59 31-12-9999

Damien_Dallimor · ‎05-31-2015

Convert your epoch time from millis to seconds

... | eval formatted_time=strftime(rt/1000, "%H:%M:%S %d-%m-%Y")

bugnet · ‎05-31-2015

Its working!
Is it possible to do it permanent ?
I mean- To calculation it automatically on the "rt" field ?

chamambom · ‎03-03-2016

Not sure what you mean but thats what splunk is for ,to transform the fields as you want when creating the reports of the dashboards

anthonysomerset · ‎03-03-2016

you need to do a field transform at search or index time - http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Managefieldtransforms

bugnet · ‎05-31-2015

Looks good. How I can do it for all variations of the "rt" numbers?

Damien_Dallimor · ‎05-31-2015

Can you give more examples ?

How to Convert epoch time to human readable format?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!