SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?
The correct eval function to convert Unix times (Epoch) into UTC readable time in Splunk (SPL) is 'strftime'. The 'strftime' function formats Unix epoch time into a human-readable string. The other options 'now', 'typeof', and 'relative_time' are not used for this purpose.
C. strftime
| eval starttime=strftime(StartTimestamp,"%Y-%m-%dT%H:%M:%S.%Q")