Solved: Convert Epoch using Props.conf

JScordo · ‎01-28-2016

I have events that are coming in with no timestamp except for a field "event_sec" which gives me the time in epoch format. Is there a way to use the props.conf to convert these all to the timestamp for the events? An example of the first couple fields in the event are:

rec_type=500 rec_type_simple="FILELOG EVENT" event_sec=1453991513

Where as i would like to take the event_sec field and convert it to human readable date/time using the props.conf

jbjerke_splunk · ‎01-28-2016

Hi

This sourcetype should have this configuration

[mysourcetype ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%s
TIME_PREFIX=event_sec=

You can do more formatting at search time later on.

Please mark as answered if this is what you were looking for.

j

View solution in original post

jbjerke_splunk · ‎01-28-2016

Hi

This sourcetype should have this configuration

[mysourcetype ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%s
TIME_PREFIX=event_sec=

You can do more formatting at search time later on.

Please mark as answered if this is what you were looking for.

j

Convert Epoch using Props.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!