Solved: How to extract date from value in internal records...

wwhitener · ‎09-19-2011

I'm trying to do some data mining and I keep seeing values for what appear to be date fields that make no sense to me. For example, in looking at the /opt/splunk/var/log/splunk/splunkd.log file, I would expect there to be a timestamp in the now fields. There is a long value that doesn't appear to make sense as a date value.

Is there a way to decode dates? And is there a way to do it in a saved search?

Thanks!

Ayn · ‎09-19-2011

Not entirely sure what the question is, but yes, you can decode dates using the eval function strftime. I digged around in my own splunkd.log and the values for "now" I see in events there are epoch values (seconds since 1 Jan 1970). To decode these as something human readable, use eval and strftime for instance like this:

index=_internal sourcetype="splunkd" | eval human_readable_now=strftime(now, "%+")

The field human_readable_now will now hold a time value that's a bit easier on the eyes.

View solution in original post

Ayn · ‎09-19-2011

Not entirely sure what the question is, but yes, you can decode dates using the eval function strftime. I digged around in my own splunkd.log and the values for "now" I see in events there are epoch values (seconds since 1 Jan 1970). To decode these as something human readable, use eval and strftime for instance like this:

index=_internal sourcetype="splunkd" | eval human_readable_now=strftime(now, "%+")

The field human_readable_now will now hold a time value that's a bit easier on the eyes.

How to extract date from value in internal records?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!