Epoch time, also known as Unix time, is a system for tracking a point in time, defined as the number of seconds that have elapsed since January 1, 1970, at 00:00:00 Coordinated Universal Time (UTC), excluding leap seconds. While epoch time is useful for computers, it's not very human-readable. In Splunk, you often need to convert epoch time to a more understandable format for analysis and reporting. This article will guide you through the process of converting epoch time to a human-readable format within Splunk search queries.
Imagine you have a field called "time" with a value like 1407361408100. This represents the number of milliseconds since the epoch. To make sense of this, you need to transform it into a readable date and time format, such as "Wed, 06 Aug 2014 21:43:28".
strftime() FunctionSplunk provides the strftime(X, Y) function specifically for this purpose. This function takes two arguments:
Here’s how you can use it in a Splunk search query:
sourcetype=your_sourcetype | eval human_readable_time=strftime(epoch_time_field, "%m/%d/%y %H:%M:%S") | table _time, human_readable_time
In this query:
sourcetype=your_sourcetype: Replace your_sourcetype with the actual sourcetype of your data.eval human_readable_time=strftime(epoch_time_field, "%m/%d/%y %H:%M:%S"): This is the core of the conversion.
epoch_time_field is the name of the field containing the epoch time."%m/%d/%y %H:%M:%S" is the format string. Let's break down the format string.
%m: Month as a zero-padded decimal number.%d: Day of the month as a zero-padded decimal number.%y: Year without century as a zero-padded decimal number.%H: Hour (24-hour clock) as a zero-padded decimal number.%M: Minute as a zero-padded decimal number.%S: Second as a zero-padded decimal number.table _time, human_readable_time: This displays the original _time field (Splunk's internal timestamp) and the newly created human_readable_time field in a table.The initial question in the Splunk Community post mentions a millisecond epoch time. If your epoch time is in milliseconds, you need to divide it by 1000 before using strftime(). Here's how:
sourcetype=your_sourcetype | eval human_readable_time=strftime(epoch_time_field/1000, "%m/%d/%y %H:%M:%S") | table _time, human_readable_time
Here are a few other useful format strings:
"%Y-%m-%d %H:%M:%S": Year-month-day hour:minute:second (e.g., 2023-10-27 10:30:00). This is close to the default Splunk time format."%F %T": Equivalent to "%Y-%m-%d %H:%M:%S". A more concise way to represent the same format."%a, %d %b %Y %H:%M:%S": Day of the week, day of the month, month, year, hour:minute:second (e.g., Fri, 27 Oct 2023 10:30:00). This was suggested by a user in the Splunk Community post.Refer to the Splunk documentation for a complete list of format specifiers.
Let's say you have logs with a field called "event_time" containing epoch timestamps in milliseconds. You want to display these timestamps in the format YYYY-MM-DD HH:MM:SS. Your Splunk query would look like this:
sourcetype=your_sourcetype | eval event_time_readable=strftime(event_time/1000, "%Y-%m-%d %H:%M:%S") | table event_time, event_time_readable
Once you have converted epoch times to a human-readable format, you might want to calculate the difference between two times. Here's how to do it:
| eval diff=end_time-start_time
| eval hours=floor(diff/3600)
| eval minutes=floor((diff % 3600)/60)
| eval seconds=diff % 60
strftime() respects the time zone configured in your Splunk environment. Keep this in mind if your epoch times are in a different time zone than your Splunk server.strftime() function actually exists in your data. You can use the fields command to list all available fields.strftime() function expects a numerical value (epoch time). If your field is a string, you might need to convert it to a number first using the tonumber() function.By mastering the strftime() function and understanding epoch time, you can effectively transform and analyze time-based data within Splunk, making your searches more insightful and your reports more readable.
