Epoch time conversion to time in Splunk

Question

I am uploading an XML in which one of the field is dailyTime. This dailyTime is an epoch time and i want to convert it into human readable time.

<globalView id="108" version="17" recordClassName="NormalizedEvent" retention="0" hourly="-1" hourlyTime="1284336038994" daily="-1" dailyTime="1284336038994" intervalMilliseconds="60000" writeUniqueCountersTime="0">
    <criteria bop="AND">
      <left>
        <expr>
          <interval serialization="custom">
            <com.q1labs.ariel.Interval>
              <short>5000</short>
              <boolean>true</boolean>
              <short>5000</short>
              <boolean>true</boolean>
            </com.q1labs.ariel.Interval>
          </interval>
        </expr>
        <key class

My props.conf are

[XMLPARSING]
KV_MODE = xml
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <globalView\s\w*=("\d\d\d")
MAX_EVENTS = 600 
EXTRACT-dailyTime = ^(?:[^=\n]*=){8}"(\d+)
TIME_FORMAT=%s%3N
TIME_PREFIX=dailyTime=
Lookahead=13
TRUNCATE = 1000
category = Custom
disabled = false
pulldown_type = true

Answer 1

Typically, you'd convert from the timestamp (ie epoch time) to something human-readable in your search

Like this:

index=ndx sourcetype=srctp earliest=-4h
| stats max(_time) as rtime min(_time) as etime by fieldA
| sort 0 - rtime + fieldA
| eval rtime=strftime(rtime,"%c"), etime=strftime(etime,"%c")
| rename rtime as "Most Recent" etime as "Earliest"

Splunk strftime docs: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29

Further formatting info for strptime and strftime: https://strftime.org