epoch()

Converts a Unix epoch timestamp to a timestamp type.

Syntax

epoch(VALUE)

Parameters

VALUE
An expression that returns a Unix epoch value. Accepts a number or a numeric string.

Description

The epoch() function interprets VALUE as a seconds-based epoch and returns a timestamp. The return type is timestamp.

If the result interpreted as seconds exceeds January 1, 9999 (Unix epoch 253402300799 seconds), VALUE is interpreted as milliseconds instead. That is, values of 253402300799 or greater are treated as milliseconds.

Returns null if VALUE is null, an empty string, or cannot be converted to a number.

Error codes

N/A

Usage examples

To prepare the WEB_APACHE_SAMPLE table used in these examples, refer to Preparing sample data.

  1. Convert the access log timestamp to an epoch integer and then restore it as a date.

    table limit=5 WEB_APACHE_SAMPLE | eval epoch_val = datepart(_time, "epoch"), result = epoch(epoch_val)
| fields _time, epoch_val, result

  2. Convert a seconds-based epoch value to a date.

    json "{}" | eval result = epoch(1435196373)
| # result: 2015-06-25 10:39:33+0900

  3. NULL input

    json "{}" | eval result = epoch(null)
| # result: null

Compatibility

The epoch() function has been available since before Sonar 4.0.