I'm not positive of your situation, but in our environment we have all our time fields in Epoch time format. When we have it presented in dashboards/searches we use the fieldformat function to change the Epoch time into something human readable. Most commonly we have typically used the fieldformat function when we reference our lookups so that they can be saved back to the lookup without changing the actual data(or changing out/away from the epoch time format in the lookup). For example, something simple for what we use with our lookups:
The search:
| inputlookup MyLookup.csv
| eval MyTimeField=coalesce(MyTimeField, now())
| fieldformat MyTimeField=strftime(MyTimeField, "%m/%d/%Y %H:%M:%S")
| outputlookup MyLookup.csv
Search explanation:
| inputlookup MyLookup.csv
^^^^Brings the lookup into the search
| eval MyTimeField=coalesce(MyTimeField, now())
^^^^Fills the "MyTimeField" with the current Epoch time if it does not already have a value
| fieldformat MyTimeField=strftime(MyTimeField, "%m/%d/%Y %H:%M:%S")
^^^^Changes the "MyTimeField" Epoch times into human readable format
| outputlookup MyLookup.csv
^^^^Saves the newly filled in Epoch time blanks back into the lookup file.
Although the above search would only work if your time field is in Epoch time format, the handy thing about it Epoch time is that when sorting after using the fieldformat function, the time is only presented to the user in human readable format. While all the while under the hood Splunk still sees the "MyTimeField" as the Epoch time format and can sort it accordingly.
I'm not positive if this helps or answers you question. But I have found this useful in the past.
... View more