- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to convert 18 character epoch time to form...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard that shows the status of certain logs reporting to Splunk. Within this dashboard, it also shows the last time an event was sent. Most of my log sources reports in 12 character Epoch time but I do have a few that reports in 18 character epoch time. For the ones that report in 18 characters, Splunk thinks that these events are happening in the future. Is there a way to fix this so that Splunk understands the 18 characters?
The source for the dashboard is the following:
| metadata index=* type=sourcetypes | stats max(lastTime) as lastEvent by sourcetype | convert ctime(*Event) | search sourcetype!="*too_small" | search ( **OMITTED** ) | eval LastEventEpoch = lastEvent | eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval nowEpoch=now() | eval diff = nowEpoch - lastEventEpoch| eval diff=if(diff>0, diff, 0) | eval status=case(diff >= 1 AND diff <=1800, "RUNNING", diff > 1801, "DOWN", diff=0, "OFFLINE/EVENT IN THE FUTURE") | sort - status| rename sourcetype AS Sourcetype, lastEvent AS "Last Seen Event", status AS Status | table Sourcetype, "Last Seen Event", Status
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using regex to peel out the first 12 digits of your time. something like this:
| rex field=_time "(?<_time>\d{12})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using regex to peel out the first 12 digits of your time. something like this:
| rex field=_time "(?<_time>\d{12})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!!!! This fixed the issue!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of
eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S")
You might try
eval lastEventEpoch = strptime('lastEvent', "%m/%d/%Y %H:%M:%S") | eval lastEventEpoch_s = strftime(lastEventEpoch, "%s") | eval lastEventEpoch_rnd = round(lastEventEpoch_s/1000)
Then use the new field lastEventEpoch_rnd in your comparison.
In theory, the strptime will convert the string into a time. The strftime will change the time format to epoch. The round will take the time/1000 and basically remove the microseconds.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help. Using regex to peel the first 12 characters did the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sample events where you get 18 character epoch timestamp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using regex to strip the first 12 characters fixed the issue. Thanks
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
