    Converting Secondary Time Stamp Fields from Epoch Time

    Brendan Murray
      There are several log sources where the log events contain various internal time stamps. BPPM is an example. In the screen shot below you can see mc_incident_time and mc_arrival_time. These time stamps have been parsed into fields, but they are still in epoch time, which is meaningless to humans. Going from memory, I believe we do data type these fields. If they are typed, would it not be possible to convert them to human-readable time?


      Windows event logs are another example. Again, we parse the TimeWritten and TimeGenerated values into ITDA fields, but the values are shown in epoch time.


      I can understand not converting raw text, but if we are parsing the data into ITDA fields, why are we not converting the time stamps to a human-readable format?