3 Replies Latest reply on Apr 2, 2015 1:27 AM by Joe Scarpelli

    Converting Secondary Time Stamp Fields from Epoch Time

    Brendan Murray
      Share This:

      There are several log sources where the log events contain various internal time stamps. BPPM is an example. In the screen shot below you can see mc_incident_time and mc_arrival_time. These time stamps have been parsed into fields, but they are still in epoch time, which is meaningless to humans. Going from memory, I believe we do data type these fields. If they are typed, would it not be possible to convert them to human-readable time?

       

      Secondary Time stamps.png

       

      Windows event logs are another example. Again, we parse the TimeWritten and TimeGenerated values into ITDA fields, but the values are shown in epoch time.

       

      I can understand not converting raw text, but if we are parsing the data into ITDA fields, why are we not converting the time stamps to a human-readable format?