Hi,
I have a number of pre-existing date fields from Nessus that are reported in epoch format. I'd like to add a new field that translates that field into Julian format. How would I do that?
This link had the same issue, but I don't see an answer. I know that this can be done at search time, but I want it done automatically, retaining the original field and adding a new one with the converted date.
https://answers.splunk.com/answers/499710/how-to-convert-epoch-to-human-readable-in-kv-mode.html
hey buddy - I'm confused on this one cause it sounds like you outlined the answer...so I prob am just misreading.
Here's what I interpreted (spot the mistake?):
You get data with a time stamp as epoch. When the data is searched, you want there to be available a field that presents the data formatted as Julian and you want it automatically part of the sourcetype (not put in search box each time).
I would solve this by adding a calculated field to the sourcetype (or source, or host) to automatically perform the strftime function of eval using the Common Time Format Variables:
julian = strftime( _time , "%Y%m%d")
Although I may be misunderstanding what you want with Julian since it seems to be defined as both YYYYMMDD and count of days since a point in time. Let us know which and we can keep moving.
Hey Burch,
Sorry - got sidetracked. I'll try this out - haven't done a calculated field before.
Thanks!
I was able to create a calculated field using this:
strftime(patchPubDate,"%Y-%m-%dT%H:%M:%S")
I do have another question. The large majority of these events don't have a valid epoch time - they come in with "-1". Should I add some logic to my field to bypass processing on those events?
I tried setting this up, but wasn't able to get it working:
if(patchPubDate>0),strftime(patchPubDate,"%Y-%m-%dT%H:%M:%S")
Hey hey - if you're just doing "%Y-%m-%dT%H:%M:%S"
then you might find a simpler approach with
| convert ctime( patchPubDate )
The logic of the if statement is missing the else part. Share more info on why it wasn't working. What was the result? I'm guessing it threw an error in the UI.
Create your calculated field in an inline search before putting it into a new field. It will do wonders for debugging.