tombonfert
commented
2 years ago This issue and the strftime issue can be solved with a CaseWhen expression (see num() implementation). I will solve it asap.
Open tombonfert opened 2 years ago
tombonfert
commented
2 years ago This issue and the strftime issue can be solved with a CaseWhen expression (see num() implementation). I will solve it asap.
The ctime function converts a given field to a human readable format, which can be provided with the optional timeformat (default: "%m/%d/%Y %H:%M:%S") parameter.
In Splunk, the provided field can either be a unix epoch time in seconds or a timestamp field like the _time column. Please see the example in the Splunk doc for the latter.
Here, we have the same issue as we have with the strftime function. Depending on the type of the input field, we either need to call the 'from_unixtime' function or the 'date_format' function. The current implementation leverages the date_format function to convert timestamp fields (e.g. '_time'). Hence, we do not support fields in seconds, but only in timestamp format.