I am uploading an XML in which one of the field is dailyTime. This dailyTime is an epoch time and i want to convert it into human readable time.
<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0"><criteria bop="AND"><left><expr><interval serialization="custom"><com.q1labs.ariel.Interval><short>5000</short><boolean>true</boolean><short>5000</short><boolean>true</boolean></com.q1labs.ariel.Interval></interval></expr><key classMy props.conf are
[XMLPARSING]KV_MODE = xmlSHOULD_LINEMERGE = trueBREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d")MAX_EVENTS = 600 EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+)TIME_FORMAT=%s%3NTIME_PREFIX=dailyTime=Lookahead=13TRUNCATE = 1000category = Customdisabled = falsepulldown_type = trueBest Answer
Typically, you'd convert from the timestamp (ie epoch time) to something human-readable in your search
Like this:
index=ndx sourcetype=srctp earliest=-4h| stats max(_time) as rtime min(_time) as etime by fieldA| sort 0 - rtime + fieldA| eval rtime=strftime(rtime,"%c"), etime=strftime(etime,"%c")| rename rtime as "Most Recent" etime as "Earliest"Splunk strftime docs: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29
Further formatting info for strptime and strftime: https://strftime.org