Solved: convert epoch time to human readable format issue

Arpmjdr · ‎09-10-2019

Hello Fellows,

I am trying to convert epoch time to "%m/%d/%Y %H:%M:%S" format. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. It is not showing any value in the human readable time column.Kindly help

events:

query I am using:
index=abc sourcetype=xyz
| rex field=_raw ^(?P\d+\s+)
| eval timestamp=strftime(strptime(epoch_time,"%m/%d/%Y %H:%M:%S"),"%m/%d/%Y %H:%M:%S")
| table host epoch_time timestamp

jpolvino · ‎09-10-2019

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

View solution in original post

jpolvino · ‎09-10-2019

Looks like your rex didn't copy correctly, so here is some speculation: your rex extracts the epoch time with a trailing space.

This fails to return a timestamp field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+\s+)"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

But this does return the field:

| makeresults 
| eval _raw="1568095811 and some text after"
| table _raw
| rex field=_raw "^(?P<epoch_time>\d+)\s+"
| eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")

Note that the second one captures digits only, while the one above it allows for a trailing space which doesn't work with strftime.

Again, this is speculation because you didn't provide the sample event and it looks like your rex paste got botched. Also, your rex mandates that the epoch time you are extracting is at the start of the line...make sure this is accurate. If you could post a sanitized event, that would help a lot. Hope this helps!

Arpmjdr · ‎09-11-2019

you are 100% correct @jpolvino my rex command was not proper.Now it is working perfect ..Thank u 🙂

Sukisen1981 · ‎09-10-2019

can you show how your extracted epoch time looks like?

Arpmjdr · ‎09-10-2019

sure.it is reflecting as "1568095811"

Arpmjdr · ‎09-10-2019

i have used this to extract "| rex field=_raw ^(?P(epoch_time)\d+\s+)" .. the line dint come properly while posting the question.

Sukisen1981 · ‎09-10-2019

if your epoch_time is coming as a number, you probably need this eval timestamp=strftime(epoch_time,"%m/%d/%Y %H:%M:%S")| table host epoch_time timestamp

Arpmjdr · ‎09-10-2019

I have tried this already.But no value is coming in the "timestamp" column in the table

Sukisen1981 · ‎09-10-2019

can you check if the epoch_time is coming as number or string when you extract it? it should come as # indicating number type, if it is coming as string use a tonumber() to convert the string to a number

Arpmjdr · ‎09-11-2019

My rex command was not correct @Sukisen1981 . now it worked..Appreciate your inputs 🙂

convert epoch time to human readable format issue

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life