Splunk Dev

convert unix time to human readable time

raindrop18
Communicator

I have unix time format on my log and wants to convert to human readable, the method using for epoch time didn't work for me.

3365196938 [http-bio-8080-exec-113] INFO  user login to the system with valid account [xxx.xxx.xxx]
Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Is that literally the exact number in your "Unix timestamp"? That's sometime in August of 2076.

My guess is that this is some sort of variant timestamp that is based on 1910. Probably a windowing method someone invented to buy time for Y2K... or to get you past the 2038 problem...? Naw, just nonsense. What version of Unix are you running?

Also, can you confirm the exact local time on your cpu of any particular timestamp, or the interval between two of them? Those three timestamps you posted are sequential numbers, so they might be log record numbers, rather than actual timestamps.

yannK
Splunk Employee
Splunk Employee

3365196938 is not a valid epoch time. It seems way in the future.

How do you translate it ?

0 Karma

cmerriman
Super Champion

try something like this:

...|rex "(?<unixtime>\d+) "|eval time=strftime(unixtime,"%Y/%m/%d %H:%M:%S")
0 Karma

raindrop18
Communicator

it's populate with the same unix time format.

3365196938 [http-bio-8080-exec-113] INFO user login to the system with valid account [xxx.xxx.xxx]
3365196939 [http-bio-8080-exec-113] INFO user login to the system with valid account [xxx.xxx.xxx]
3365196940 [http-bio-8080-exec-113] INFO user login to the system with valid account [xxx.xxx.xxx]

Ihave tried epoch time conversion but that didn't work (eval te=strptime(t,"%b %d %T %Y %Z") | eval tl=strftime(te,"%b %d %T %Y %Z")

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you looking to update the raw event itself with human readable timestamp? The rex command actually extracts a new field, doesn't update raw data.

0 Karma

raindrop18
Communicator

I want to the new field not raw.

0 Karma

masonmorales
Influencer

Are you sure that the first number is actually a timestamp? When I use an epoch converter that timestamp lands in the year 2076.

But, to answer your question, you can usually just do convert ctime(your_epic_timestamp_field)

0 Karma

raindrop18
Communicator

thanks for quick response but unfortunately didn't work for m.

0 Karma

cmerriman
Super Champion

what did it populate, if anything? what method were you using originally?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...