Avatar
Kevin Keech
  • Updated
Follow

How to format an epoch value (milliseconds since 1970) into a human readable date

Sumo Logic provides the formatDate operator to assist with converting epoch to readable dates using the Java SimpleDateFormat

To convert the epoch time into a date formatted string, you can put the first two functions together, like this:

* | formatDate(_messagetime, "MM-dd-yyyy HH:mm:ss") as myDate 

However, in the case where you are first using an aggregate operation on an epoch such as Min, Max Avg, you may also need to convert the return value to a "long" value using the toLong function. This is because when you run these aggregate functions, the return value gets reformatted as a double which the formatDate function cannot read. This may lead to the following error being displayed with your query. 

No definition found for function formatDate(Double, String).

 To address this we will need to add a conversion operation within the formatDate to convert the returned epoch to a long value. 

| min(_messagetime) as mindate 
| formatDate(toLong(mindate), "MM-dd-yyyy HH:mm:ss") as myDate  

Sumo Logic further needs a 13 digit epoch timestamp for the formatDate operator. So in cases where you have 10 digit epoch timestamps, you will need to convert it to 13 digits by multiplying your current value by 1000.

Here is the sample query to convert a value to an accepted 13 digits within the formatDate operation:

* | formatDate(toLong(datetimedisconnect*1000),"MM-dd-yyyy HH:mm:ss") as time

 

Comments

2 comments

Sort by Date Votes
  • Avatar
    Andrew Smith
    Just ran into this, although we just needed formatDate(toLong(...)) without fromMillis. Still missing from the documentation, although toLong is mentioned tangentially in the section on parsing text dates into numbers for sorting.
    1
    Comment actions Permalink
  • Avatar
    Ezra Jennings

    When using the function as shown in your answer, the time is displayed in the Pacific timezone (which is not my timezone and not UTC) as I can see from adding a 'z' to the formatDate string.  There appears to be an optional third argument to the formatDate function where some text timezones are supported ('EST', 'PST', 'GMT') but I could not get numeric timezones ('-0400' or '-04:00') to work.  Is there another way to do this?  Or will numeric timezones be supported in the future?

    I also could not find the formatDate or fromMillis functions in the help (https://service.sumologic.com/help/Default.htm) and they are not suggested when I start to type them.  Will they be documented?  Are there are other very useful undocumented functions that are available?  Thanks!

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Related articles