%T The time in 24-hour notation (%H:%M:%S). Once in epoch you can let Splunk represent it in the relative local timezone of the viewer OR always in EPOCH easily using Eval's strptime OR the convert. The Unix epoch (or Unix time or POSIX time or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap seconds (in ISO 8601: 1970-01-01T00:00:00Z). What setting should be placed in the props. Community; Community; Splunk Answers. datetime. epoch time is how time is kept track of internally in UNIX. In practice, Perl is often available:Subtracting DATE '1970-01-01' from the value will give the number of days (and fractional hours/minutes/seconds) difference and then you can multiply by 24*60*60: (date_value - DATE '1970-01-01')*24*60*60. If “x. Hi I am setting a time token "WFDate_tok_display1" which has timestamp value from the user click. <drilldo. 02-12-2020 11:41 PM. One thing I forgot is _time actually is already in epoch but just displayed human readable in Splunk UI. Use the %Z option. You have to see what units your epoch time value is in. From the search line I can easily leverage the strftime command to get the. Splunk Answers. xdp4. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. How to convert the time format "2016-12-07T09:33:33. When you then format them for display they'll be in your selected time zone. Then, you just perform a lookup and calc. I have this date string example: Mon, 01 May 2023 00:00:00 GMT how can I convert it to epoch? thanks! On Splunk Enterprise instances, if you need to modify timestamp extraction, specify the configuration on the indexers. Once in epoch you can let Splunk represent it in the relative local timezone of the viewer OR always in EPOCH easily using Eval's strptime OR the convert. However, in using this query the output reflects a time format that is in EPOC format. Hello Splunk Practitioners!In June, Splunk Customer Success introduced Product Adoption Boards -. However, I cannot use Strftime once the figure. 04-07-2023 11:57 AM. COVID-19 Response SplunkBase Developers Documentation. This timestamp, which is the time when the event occurred, is saved in UNIX time. . What is the definition of "readable for Splunk"? Splunk only understands epoch, so strptime is your answer. You could just create one event instead of three, or in the example, just return the first event:| head 1 If you're working with ISO time strings but unknown times in an unknown order, you can sort lexicographically:| sort time_1 | head 1 If the time format is known but not necessarily in ISO format. Splunk Answers. g. This results in an epoch diff of "0" and if you strftime a "0" into days, it thinks it's 31 days, but it should be 0 days. I guess when not specifying the date, Splunk maps the time to the previous day, if the respective timestamp hasn't passed yet (or would be 'too far into the future'? So if you evaluate it on Monday early morning, before 8 AM, it will map 8 AM. _time is the epoch time or the number of seconds from Midnight January 1 1970 UTC. I have a string from a complex JSON event providing an ISO 8601 date/time in UTC. Ex: index=bar sourcetype=foo earliest=1350538170 latest=1350538870 | more search commands. The string you illustrated looks like some combination of 4-digit year followed by some representation of month, day, hour, etc. I tried to convert 1:00 AM and 8:00 AM to epoch time, and for some reason, the epoch time of 1:00 AM is greater than the epoch time of 8:00 AM. Convert this time format to epoch hagjos43. Without any issues here. mstime () Syntax: mstime (<wc-field>) Description: Convert a [MM:]SS. New Member. I wish to work out the difference of these two times and then create an average of all the results - essentially this -> Average (Acknowledge_Date-Date_Created) Search. Background. Any help is appreciated. g. Handling Time" "Avg. Solved: Hi, i need to write a query that converts time format from minutes to format Xh Xmin Xs my query | eval finish_time_epoch =Seems like your search results include the _time field which shows human-readable format in Splunk visualizations (it's a special field) but holds an epoch value. The general workflow for creating a CSV lookup in Splunk Web is to upload a file, share the lookup table file, and then create the lookup definition from the lookup table file. Therefore, since you can generate timestamps in UTC, your best bet would be to have earliest and latest in epoch as well. For example, if you create a field call time, convert user selection to epoch using <change> event/drilldown for time. Splunk, Splunk>, Turn Data Into Doing, Data-to. Splunk Tech Talks. ; If this is supposed to be the _time field, then make sure to update the. Solved: I have an event field called `LastBootUpTime=20120119121719. Downvoted. I have a log that contains multiple time fields _time (ingest time) Processed time (processed_time) Actioned time (actioned_time) Result time (result_time) _time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working. For example the UNIX epoch time 1484993700 is equal to Tue Jan 21 10:15:00 2020 . Thanks Anyways. BrowseYou could add a time range picker and feed your tokens into that, that way the user can both see the time range (to some degree) and manipulate it as COVID-19 Response SplunkBase Developers DocumentationFor data already indexed, you can use Eval's strptime OR the convert command to switch this to epoch. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User; Bookmark Topic;. bowesmana. D. Motivator 10-20-2015 01:41 AM. . I'm trying to change the "apiStartTime" which is in the following format 'Sat Mar 5 00:00:00 2016' including the apostrophes to an epoch time so I can perform some date calculations. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read; Float this Topic for Current User;. 1. 02-28-2023 10:53 PM. This has converted the times to epoch. This is my search and the result of my. 405Z into a Splunk time format so I can get time windows to use in streamstats. I have a logs where time stores under a custom field (Patch_date) and i want to display latest time result. You can try strptime time specifiers and add a timezone (%z is for timezone as HourMinute format HHMM for example -0500 is for US Eastern Standard Time and %Z for timezone acronym for example EST is for US Eastern Standard Time. This solution doesn't appear to account for timezone, which Splunk automatically adjusts for. You can specify the time format by timeforma t argument. . What setting should be placed in the props. When you use _time in a search, Splunk assumes you want to see a human-readable time value, instead of an epoch time number of seconds. Handling Time" "Avg. You need to, at index time, set the time zone of your incoming data so that Splunk knows what the actual real event time is. Converting date and time to Epoch (Unix) time, and Epoch time back to human readable date. The timestamps must include a day. You can follow this document to set up a lookup: Use lookups in Splunk Web; per Define a CSV lookup in Splunk Web: CSV lookups are best for small sets of data. For more information about how the Splunk software determines a time zone and the tz database,. You can also use these variables to describe timestamps in event data. Thanks. 0 Regards ShraddhaHi I have a timestamp field with values as below "2016-08-25T13:30:36. The timestamps must include a day. 05-13-2014 11:58 AM. I have following Splunk Query which is trying to format Epoch captured start and end time into human readable format but seems like splunk is pulling incorrect value here. Description: Convert a human readable time string to an epoch time. You use date and time variables to specify the format that matches string. Unfortunately, Splunk is not recognising the date when it gets indexed, so the "_time" field is when the data was indexed. The magnifying glass in the search app will only apply to the _time field. I find the simplest way to generate multiple events is a combination of makeresults, eval, and mvexpand: | makeresults | eval source="abc" | eval msg="consumed"We will discuss how to change time from human readable form to epoch and from epoch time to human readable. Assuming that your local PST time stamp field, myPSTtime had no time zone in it, and a date of "03/11/2017 13:21:17", you'd convert using a method like this run-anywhere code. . D. Since Splunk uses 32-bit epoch time, events after 2038 cannot be indexed. Searching the _time field. Considering converting from epoch is one of the most common Splunk questions of all time, considering this page has 46k views, and considering that each and every answer is entirely incorrect (and the actual question itself is misleading) this page is desperately in need of removal. conversion from Epoch Time to string time. Can somebody give me some guidance on how to correct this please? Tags (4)Splunk Cloud Platform; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium Solutions; IT Ops Premium Solutions; Engineering Premium Solutions; Apps and Add-ons; All Apps and Add-ons; Discussions. 531 AMAs of Splunk 6. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the DiffCOVID-19 Response SplunkBase Developers Documentation. 2 Karma. I've seen a lot of questions asking to get just the date from date/time stamp and convert to epoch. Ex: Epoch time : 9386717. I am having a problem with my strptime in that it is not working. Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results. getTime ()/1000) (or see stack overflow for dozens of variations) 01-05-2016 03:45 AM. Hope this helps, d. To convert the epoch seconds value you can display an additional field with the timestamp(in the format you wish. . . 07-30-2010 09:53 PM. How to convert epoch timestamp to readable date format?. in the example, Splunk interprets the _time_AEST variable as seconds since epoch (1970-01-01 00:00:00 UTC), and so technically Splunk is interpreting this as a different 'real world' time -- if you attempt to print the timezone of the date, it will incorrectly report the users configured timezone. Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results. datetime(2019, 12, 1, 0, 0). As part of our larger. It is not showing any value in the human readable time column. For example, the result of the following function is 1001 : eval result = tostring (9, "binary") This is because the binary representation of 9 is 1001 . Builder 03-26-2020 09:26 AM. So I have two date fields - Date_Created & Acknowledge_Date both in the format YYYY-MM-DD HH:MM:SS. Solved: A user tells us - -- I need to convert time value from EST to UTC in Splunk. BrowseAnytime! :) COVID-19 Response SplunkBase Developers DocumentationSolved: I struggle with converting a time stamp into a date. When exported as csv, it's original epoch value can be seen. Note that the earliest and latest params are set to Epoch time. To convert time strings from one format to another you must strptime() convert to epoch form and then use strftime(). Converts an epoch/unix timestamp into a human readable date. How to convert epoch time with milliseconds into splunk at indexing time vrmandadi. The timestamp processor Solved: Is it possible to convert the following into an epoch timestamp using strptime; 2018-05-31T06:49:13Z Or will I need to use regex to rip out COVID-19 Response SplunkBase Developers Documentation Hi How to convert the time format "2016-12-07T09:33:33. COVID-19 Response SplunkBase Developers Documentation. I'm trying to change the "apiStartTime" which is in the following format 'Sat Mar 5 00:00:00 2016' including the apostrophes to an epoch time so I can perform some date calculations. If you want to do it in JS use something like var epoch = Math. | lookup timezone TIMEZONE output offset | foreach LAST_* NEXT_* [ fieldformat > =The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. US Pacific Daylight Time, the timezone where Splunk Headquarters is located. Subscribe to RSS Feed; Mark Topic as New; Mark Topic as Read;. Try this query. Hi, I wonder whether someone may be able to help me please. | makeresults | eval message= "Happy Splunking!!!"Using Splunk: Splunk Search: Convert epoch time from drilldown parameter; Options. Premium Powerups Explore Gaming. Security; Getting Data In; Knowledge Management; Monitoring Splunk; Using Splunk; Splunk Search; Reporting; Alerting; Dashboards &. This is reported here as well, the problem revolves around the isnum check:. The only time you can format with a POSIX shell command (without doing the calculation yourself) line is the current time. If this is supposed to be the _time field, then make sure to update the sourcetype to properly extract this value, regardless of timezone, going forwarder. BrowseDashboards & Visualizations. ctime – Convert an epoch time format to human readable time format. How to convert large epoch time to hours minutes and seconds ?. 2020-10-05 23:06:05. Short-hand to convert python date/datetime to Epoch (without microseconds) Use strptime to parse the time, and call time () on it to get the Unix timestamp. The epoch time is reflecting in the events,I am extracting using regex in the search and after that trying to convert the epoch time and use it in the search. What setting should be placed in the props. 2/7/18 3:35:10. The time returned by the now () function is represented in UNIX time, or in seconds since Epoch time. Training & Certification Blog. For the ones that report in 18 characters, Splunk thinks that these events are happening in the future. Well SPLUNK (v 6. . e _time) is in UTC. SSS (minutes, seconds, and subseconds) to a number in seconds. Description. Ex: Epoch time : 9386717. It will be better if you convert epoch to date time string search query itself then set fields to token. conf. sourcetype="adloader" | stats min(_time) AS earliest max(_time) AS latest by TransactionID | eval duration=latest-earliest | eval earliest=strftime(earliest,"%+") | table TransactionID earliest durationHI @Becherer,. The strptime function doesn't work with timestamps that consist of only a month and year. I know that splunk reads the epoch time and converts it to human readable format under the _time field but I want to transform the raw events to have human readable format. I've got them all working except forCloud Platform | Migrating your Splunk Cloud deployment to Python 3. If I'm not wrong, convert needs epoch time for ctime(). conf to ensure that every two strings is one event, but now I'm trying to assign the "1234567890" as the timestamp of the event and make sure it shows in human readable format for search results. 0 Karma Reply. An epoch is a numeric value representing time in seconds. Note- The 'timestamp' ODATE is not the actual timestamp. | eval epoch1 = _time. addSeconds('1970-01-01T00:00:00Z', 1675667443)-----I think you may have found a bug. 1, the method will be |eval pretty_time=tostring (num_seconds, "duration") where num_seconds is an integer quantity of seconds or a decimal quantity of seconds and sub-seconds. I can reproduce proper results with any date in 1971 or newer, but none in 1970. Explorer. As i couldn't able to work with 13 Digits and when i changed form 13 Digits to 10 Digits it worked out well for me. BrowseWhen using time. This should get documented in Functions for Eval and Where. _time is always stored in the Splunk indexes as an epoch time value. The UNIX Epoch Time timestamp, or the number of seconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). COVID-19 Response SplunkBase Developers Documentation. Stack Overflow. Engager 12-20-2021 11:01 AM. However, you have couple of options. I'm running the below query to find out when was the last time an index checked in. If events. A. conf23! This event is being held at the Venetian Hotel in Las. | makeresults | eval message= "Happy Splunking!!!"How can I convert a field containing a duartion (not a timestamp!) in. 09-21-2017 04:57 PM. UNIX time is the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), 1 January 1970. NFL. This function takes a time represented by a string and parses the time into a UNIX timestamp format. You can then use replace function of eval to format the output. If you want to get super fancy and convert to your local timezone you can do so by knowing your UTC offset. Which in this case comes out to January 1, 2016. Using %s to parse the epoch time ( in miliseconds) gives a gibberish date. I'm extracting a time stamp in the format 2015-01-31T23:59:55. I want to do it for time. Thanks. . So I have two date fields - Date_Created & Acknowledge_Date both in the format YYYY-MM-DD HH:MM:SS. It also assumes that you want to see this human readable time value in the current time zone of the user account. 1) The question doesn't actually provide a standard epoch time. and i want the difference epoch time to be in human readable . When used in a search, this function returns the UNIX time when the search is run. 04-19-2023 03:06 AM. This is a fairly easy method and provides. Convert time to epoch time & time zone. I am struggling because of the special format of the timestamp with T and Z included in. 946Asia/Singapore and i use the. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or. This dailyTime is an epoch time and i want to convert it into human readable time. It also displays the current epoch/unix timestamp in both seconds and milliseconds. I have events that are coming in with no timestamp except for a field "event_sec" which gives me the time in epoch format. Description: Convert a human readable time string to an epoch time. Convert NT Epoch Time with props. This moment in time is sometimes referred to as epoch time. For data already indexed, you can use Eval's strptime OR the convert command to switch this to epoch. Solved: I am creating some of my first dashboards, and I am having trouble working out how to change the output in the column titled Time to COVID-19 Response SplunkBase Developers Documentation BrowseTry the following where the seconds you are adding are what you have form your EPOCH date. Solution. If unspecified, Splunk assumes it is the same time zone as the Splunk indexer. The time shown is GMT and I need to use this field when using a dashboard to accurately show data. This number hit 1 million (1,000,000) in March of 1973, and will hit one billion (1,000,000,000) on Sun Sep 9 01:46:39 2001 UTC. . floor ( (new Date). Since your data is already indexed with the timestring in epoch seconds the easiest way to convert it would be to use the IFX field picker. S tutorial for converting epoch time to hum. Splunk, Splunk>, Turn Data Into. This solution doesn't appear to account for timezone, which Splunk automatically adjusts for. Let's assume that your. Deployment Architecture; Getting Data In;. I'm pretty sure SPL commands and functions don't work there 😉. Any help is appreciated. I think that I am supposed to use some combination of strptime and strftime but I can't figure it you. somesoni2. This is how the Time field looks now. Friday, April 13, 2020 11:45:30 AM GMT -07:00. conf to have the data indexed with the time field converted for human readability. So use strptime to convert to epoch time this first:. How can I convert these timestamps to some specific output format, e. F. 05-09-2014 02:03 PM. I also don't want to start new search for just parsing timestamps (it has to be fast). New Member 04-03-2019 08:45 AM. You can use this function to convert a number to a string of its binary representation. Convert timepicker token to epoch time for eval, regardless of timepicker combination. the field Time contains string time value as per your given example, then you need to first convert the same to epoch time using strptime () and then use. The time field has a bunch of different formats. For our use case, we are uploading the 'real world time' using time since Epoch (assigned to the _time property), and additionally upload a timestamp formatted as a date in local time field which Splunk interpets as a string. Is there a way to use the props. datetime but it failed: >>> datetime. but just wanted to share that Powershell 7's Get-Date has native support for converting Unix time now (which I discovered thanks to this question). For more information about working with dates and time, see. Solved: I want to get the result of large epoch time to hours minutes and seconds. . 210" |. Convert it to some time format you prefer using eval and strftime. however when I extract it using strftime(), it shows the time in PST (my local time) whereas the original time showed in Splunk events (i. See also SPL-25013. To convert the epoch seconds value you can display an additional field with the timestamp(in the format you wish. Is it possible to convert the "rt" field to a user-friendly format? I searched through some of the other questions but none really addressed this specific question. could I display the epoch time in a differet column? index=EventEndpoint | eval date=strftime(date,"%c") And index=EventEndpoint | eval epoch1=_timeCOVID-19 Response SplunkBase Developers Documentation. Time modifiers. This works with the query above. I'm trying to get each users first logon of the day over a period of time. I know about the workaround of timestamp'1970-01-01 00:00:00' + ( "<my_field>" /86400 ) as eventTime, but preferably I do not ingest an extra field if. I cannot influence the generation of this field (together with the other fields severity, thread and logger). Considering converting from epoch is one of the most common Splunk questions of all time, considering this page has 46k views, and considering that each and every answer is entirely incorrect (and the actual question itself is misleading) this page is desperately in need of removal. You can use a wildcard ( * ) character to specify all fields. 3 ) with automatic timestamp recognition parses the timestamp ( epoch in milliseconds), but there is no strptime equivalent for that so I cant specify custom timestamp extraction. Description This function takes no arguments and returns the time that the search was started. I think you may have found a bug. . index=ivz_onboarding_css_autosys source=Autosyscss1 | lookup timezonelookupdefine13+08:48:09. Community. If you want to see the epoch v. Try this to convert time in MM:SS. There are a couple of ways to convert epoch time into a human-readable format, but first you must start with epoch time in seconds rather than milliseconds. You can specify the time format by timeformat argument. Splunk Administration; Deployment Architecture I have a log that contains multiple time fields _time (ingest time) Processed time (processed_time) Actioned time (actioned_time) Result time (result_time) _time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working. The _time field is different in that it IS epoch, but it is always shown in a text form. Few examples below 7/24/2020 9:45:47 AM +05:30 7/23/2020 6:29:45 AM -05:00 7/24/2020 11:21:31 AM +07:00 7/24/2020 4:21:29 AM +00:00 I would like to find the differe. Few examples below 7/24/2020 9:45:47 AM +05:30 7/23/2020 6:29:45 AM -05:00 7/24/2020 11:21:31 AM +07:00 7/24/2020 4:21:29 AM +00:00 I would like to find the differe. For more information about how the Splunk software determines a time zone and the tz database,. You use date and time variables to specify the format that matches string. The timestamps must include a day. Communicator. But what I struggle now is to convert the timeStamp -string to date format to get at the end the min (timeStamp) extracted in order to compute the difference between the event's _time and the min (timeStamp) by the id field. Splunk convert Wed Sep 23 08:00:00 PDT 2020 to _time and epoch time in splunk . 2/7/18 3:35:10. In Splunk, create a new TCP Data Input port for each log source type to beCOVID-19 Response SplunkBase Developers Documentation. Searching the _time field. Thanks. I have created the following search. Since Splunk uses 32-bit epoch time, events after 2038 cannot be indexed. S tutorial for converting epoch time to hum. conf to convert it to human readable. Converters. When used on the _time field it returns the difference in seconds. Solved: Hi I need to Convert an #epoch time to #minutes any ideas please guys would be really grateful - Thanks There are a couple of ways to convert epoch time into a human-readable format, but first you must start with epoch time in seconds rather than milliseconds. As i couldn't able to work with 13 Digits and when i. Splunk Administration. Ask Question Asked 8 years, 5 months ago. How to convert epoch time with milliseconds into splunk at indexing time. With daylight saving, CET is two hours ahead of UTC. Community; Community;. strptime (timestamp, format, time_zone) This function parses a date string into a UNIX timestamp. 1 Solution. 0 Karma Reply. timestamp() print(ts) Output: 1575158400. COVID-19 Response SplunkBase Developers Documentation. | eval utc_time = relative_time (epoch_time,strftime (epoch_time,"%z"). This seemed to work well, until it stopped working (we upgraded to Splunk 8 from 7 and I think this is when it stopped working. It'll only work if i am in the same timezone as the server, which is fine for me but not usually the case with others, and then the rest of the lines re-apply the timezone to double it. You need, then, to massage the string a bit before passing it to. Solved! Jump to solution. Usage of Splunk commands : CONVERT is as follows: This command converts the field values to numerical values. In my splunk search for getting the date of Nessus plugins feed version used in a scan I get the number returned in the orginal format used of year-month-date-time (for example November 7th 2023 at 1200 would display as 202311071200) that I would like to convert into a readable format that I can then manipluate in splunk such as if i want to get the. e. This search doesn't gives me a readable time but the time isn't correct as the date are all the same with the year being 9999. Notice that claim_filing_date is a field in my sample data containing a date field I am interested in. Advertisement Coins. It'll only work if i am in the same timezone as the server, which is fine for me but not usually the case with others, and then the rest of the lines re-apply the timezone to double it. Tags (1) Tags: Why mac. Jan 01, 1971 is 31557600 as you noticed, so you'd think that Dec 31st 1970 would be 31557600-86400, an answer which escapes my ability to run a calculator app right now, but which is decidedly greater than 0. A timestamp expressed in UTC (Coordinated Universal Time) Local time with no time zone. Monitoring Splunk; Using Splunk; Splunk Search; Reporting; Alerting; Dashboards & Visualizations; Splunk Development; Building for the Splunk Platform; Splunk Platform Products; Splunk Enterprise; Splunk Cloud Platform; Splunk Data Stream Processor; Splunk Data Fabric Search; Splunk Premium Solutions; Security Premium. 7, the last release of Python 2, reached End of Life back on January 1, 2020. This moment in time is sometimes referred to as epoch time. You can specify the time format by timeformat argument. Hi @djoobbani,. 33. The strptime function doesn't work with timestamps that consist of only a month and year. First you need to extract the time to upload as a field. However, in using this query the output reflects a time format that is in EPOC format. You can convert String Time in your old format to Epoch Time in new format using strptime() and then convert to string time of your new format using strftime() In order to understand the conversion you can try the following run anywhere search: Well SPLUNK (v 6. There are a couple of ways to convert epoch time into a human-readable format, but first you must start with epoch time in seconds rather than milliseconds. If the week containing January 1st has four or more days in the new year, it is considered week 1. PS: Use eval tag to convert String time to Epoch using strptime() 3) Use tokens tokEarliest and tokLatest in your other searches in the dashboard which are epoch time. The time shown is GMT and I need to use this field when using a dashboard to accurately show data. SSS format to seconds. 0. 1) Create a search dashboard with timerange as input. However, in this case the format is not valid: $ date -d"08 18 2016 09:18:25" "+%s" date: invalid date ‘08 18 2016 09:18:25’. I think we're getting close :) 1406263182098 Fri,31 Dec 9999 23:59:59 1406263177094 Fri,31 Dec 9999 23:59:59I am unable to get this working too. 7 Python 2. . 040875200Z" to epoch time for calculating difference and then to readable format? I have a log event like this: Timestamp: 1477292160453180 537 The number 1477292160453180 is the number of microseconds since the Epoch: 1970-01-01 00:00:00 +0000 (UTC). . Hey Sorry but I checked the values and it should convert to 00:01:18 and 00:07:58, check here opens a subsearch; you need square brackets around it.