convert [timeformat=string] ctime(<field>)

The [ctime](https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Convert) function converts a given field to a human readable format, which can be provided with the optional timeformat (default: "%m/%d/%Y %H:%M:%S") parameter.

In Splunk, the provided field can either be a unix epoch time in seconds or a timestamp field like the _time column. Please see the example in the Splunk [doc](https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Convert) for the latter.

Here, we have the same issue as we have with the [strftime](https://github.com/databricks/spark-spl/issues/50) function. Depending on the type of the input field, we either need to call the 'from_unixtime' function or the  'date_format' function. The current [implementation](https://github.com/databricks/spark-spl/pull/59) leverages the date_format function to convert timestamp fields (e.g. '_time'). Hence, we do not support fields in seconds, but only in timestamp format. 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

convert [timeformat=string] ctime(<field>) #60

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

convert [timeformat=string] ctime(<field>) #60

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions