Document toolboxDocument toolbox

Epoch milliseconds (epoch)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 16, 2023 by Borja Moro Moreno
2 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

Creates a new field that converts a specified timestamp into an Epoch reference date, that is to say, the number of milliseconds since midnight Jan 1, 1970.

How does it work in the search window?

Select Create field in the search window toolbar, then select the Epoch milliseconds operation. You need to specify one argument:

Argument

Data type

Description

Argument

Data type

Description

Date mandatory

timestamp

You can either select a field with that data type or introduce it manually.

In case you want to introduce it, note that this value should be a date: Year-Month_Day Hour:Minute:Second.Millisecond (yyyy-MM-dd HH:mm:ss.SSS) → You can skip seconds and milliseconds.

The data type of the values in the new field is integer.

When you apply this operation in the search window interface, Devo automatically transforms the values you enter manually in the Date argument into timestamp data type.

If you choose a field in the Date argument, it must be a timestamp data type field. You can transform the strings or integers in a field to timestamps creating a new field using the Timestamp operation. Note that the strings to be converted must follow the format yyyy-MM-dd HH:mm:ss.SSS

Example

In the siem.logtrust.web.activity table, we want to create a field that transforms the dates in our eventdate field into Epoch milliseconds. To do it, we will create a new field using the Epoch milliseconds operation.

The arguments needed to create the new field are:

  • Date - eventdate field

Click Create field and you will see the following result:

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new field. These are the valid formats for the Epoch milliseconds operation:

  • epoch(timestamp)

  • epoch(timestamp(string))

  • epoch(timestamp(integer))

When you use this operation in LINQ, you can indicate the name of a timestamp type field or use the Timestamp operation to transform a string / integer field or an entered value into timestamp format. To do it, add the timestamp() operator as in the above format examples.

Note that the strings to be converted must follow the format yyyy-MM-dd HH:mm:ss.SSS

Example

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table:

from siem.logtrust.web.activity select epoch(eventdate) as eventdate_epoch