https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133348#M27400 <P>eval myTime=AD_time/10000000 - 11644473600</P> <P>got it. Thanks for your help!</P> Wed, 16 Apr 2014 13:42:33 GMT dwithers 2014-04-16T13:42:33Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133343#M27395 <P>Using ldapsearch queries in the splunk for windows ifnrastructure app, I am trying to convert the following fields timestamp which is the integer8 windows NT timestamp to epoch or other readable time after my query runs. The timestamp is the number of 100-nanoseconds intervals (1 nanosecond = one billionth of a second) since Jan 1, 1601 UTC</P> <P>Anyone have any experience with this? Would be much appreciated!</P> <P>field = msDS-LastSuccessfulInteractiveLogonTime<BR /> timestamp returned = 129878945338632316</P> Wed, 16 Apr 2014 12:17:37 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133343#M27395 dwithers 2014-04-16T12:17:37Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133344#M27396 <P>Hi dwithers,</P> <P>take this run everywhere example and adapt it to your needs:</P> <PRE><CODE>index=_internal | head 1 | eval AD_time="129878945338632316" | eval myTime=AD_time/1000000000 | eval myNiceTime=strftime(myTime, "%F %H:%M:%S.%3Q") | table myNiceTime </CODE></PRE> <P>the first line is only to setup the AD like time field, the second eval will 'convert' it into epoch time and the last eval will create a nice human readable time stamp out of it.</P> <P>cheers, MuS</P> Wed, 16 Apr 2014 12:34:40 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133344#M27396 MuS 2014-04-16T12:34:40Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133345#M27397 <P>small update: are you sure these are nano seconds? Looks like there is one number missing in your example....</P> Wed, 16 Apr 2014 12:52:57 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133345#M27397 MuS 2014-04-16T12:52:57Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133346#M27398 <P>Actually, i just found it's 64bit in of the number of 100 nanoseconds since 1/1/1601</P> Wed, 16 Apr 2014 13:23:30 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133346#M27398 dwithers 2014-04-16T13:23:30Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133347#M27399 <P>he current LDAP time = (time()+11644473600)*10000000;<BR /> You can replace time() with any UNIX timestamp or strtotime("15 November 2012") is the math if ound around it</P> Wed, 16 Apr 2014 13:37:48 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133347#M27399 dwithers 2014-04-16T13:37:48Z https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133348#M27400 <P>eval myTime=AD_time/10000000 - 11644473600</P> <P>got it. Thanks for your help!</P> Wed, 16 Apr 2014 13:42:33 GMT https://community.splunk.com/t5/Getting-Data-In/Convert-AD-LDAP-Timestamp-to-Epoch-or-other-readable-date/m-p/133348#M27400 dwithers 2014-04-16T13:42:33Z