The SPL (Splunk) field name used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search is _time. This is because _time is a default field in Splunk that holds timestamp information and automatically interprets Unix epoch time as human-readable time.