Getting Data In

Help with converting epoch to human readable at index time

vrmandadi
Builder

I have json format data with a field called uploadDate .This has values like /Date(1584037059228)/ , /Date(1584033289090)/ etc . What stanza do I need to add at index time so that it will take the uploadDate as the timestamp field and convert it to human readable format .The following strftime works when testing

strftime(epoch/1000, "%Y-%m-%d %H:%M:%S")

Sample event

{"fileName":"TEST.yxmd","id":"0bb814","isChained":false,"metaInfo":{"author":"","copyright":"","description":"","name":"ATEST","noOutputFilesMessage":"","outputMessage":"","url":"","urlText":""},"packageType":1,"public":false,"runCount":1,"runDisabled":false,"subscriptionId":"5d395","uploadDate":"\/Date(1584037059228)\/","version":null,"workerTag":"","collections":[{"collectionId":"5e6a534","collectionName":"Test"}],"lastRunDate":"\/Date(1584037059000-0400)\/","publishedVersionId":"5e6a0031bb","publishedVersionNumber":4,"publishedVersionOwner":{"active":true,"email":"son.com","firstName":"a","id":"c398","lastName":"ngi","sId":null,"subscriptionId":"3c395"},"subscriptionName":"i"}

Thanks in Advance

0 Karma

nikita_p
Contributor

Hey @vrmandadi,

To convert epoc time to human readable format you will have to create props.conf before indexing your data.
Please update these setting in your props.conf for respected app:

[Your_Sourcetype]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_FORMAT = %s%3N
TIME_PREFIX = \/Date
category = Structured
disabled = false
pulldown_type = true

Let me know if this works.

0 Karma

anmolpatel
Builder
0 Karma

vrmandadi
Builder

@anmolpatel .Thank you for your reply but it did not work

0 Karma

anmolpatel
Builder

check your MAX_TIMESTAMP_LOOKAHEAD (default is 128 char, which doesn't apply in your case) and TIME_PREFIX in props.conf for the selected sourcetype.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...