https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298264#M56433 <P>You can use following formula to convert LDAP/FILETIME timestamps to human readable date in Splunk. See this runanywhere sample</P> <PRE><CODE>| gentimes start=-1 | eval time=131315659450000000 | eval time_s=(time/10000000)-11644473600 | eval time_human=strftime(time_s,"%+") </CODE></PRE> Tue, 14 Feb 2017 17:16:06 GMT somesoni2 2017-02-14T17:16:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298260#M56429 <P>I've seen lots of different solutions for converting time from epoch but I have not come across a solution that works to convert the Windows LDAP 18-digit lastLogonTimestamp field. How do I convert this field to a human readable field?</P> <P>Thank you.</P> Tue, 14 Feb 2017 16:21:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298260#M56429 DPWSplunkPOC 2017-02-14T16:21:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298261#M56430 <P>Hi DPWSplunkPOC<BR /> did you tried?</P> <PRE><CODE>eval TimeStamp=strftime(_time,"%d/%m/%Y %H.%M.%S") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 14 Feb 2017 16:30:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298261#M56430 gcusello 2017-02-14T16:30:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298262#M56431 <P>Yes I have. This does not work for Windows LDAP time stamps because Active Directory stores date/time values as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 until the date/time that is being stored according to MS technet. </P> <P>If Windows used epoch in LDAP, that eval would work.</P> Tue, 14 Feb 2017 16:37:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298262#M56431 DPWSplunkPOC 2017-02-14T16:37:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298263#M56432 <P>did you tried</P> <PRE><CODE>eval TimeStamp=strftime(_time/100,"%d/%m/%Y %H.%M.%S") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 14 Feb 2017 16:43:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298263#M56432 gcusello 2017-02-14T16:43:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298264#M56433 <P>You can use following formula to convert LDAP/FILETIME timestamps to human readable date in Splunk. See this runanywhere sample</P> <PRE><CODE>| gentimes start=-1 | eval time=131315659450000000 | eval time_s=(time/10000000)-11644473600 | eval time_human=strftime(time_s,"%+") </CODE></PRE> Tue, 14 Feb 2017 17:16:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298264#M56433 somesoni2 2017-02-14T17:16:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298265#M56434 <P>Thank you for your answer</P> <P>This worked and gave me an easy to read output from my AD data. I need to take it a step further. I need to look for users that have not logged in for 6 months.</P> <P>My search looks like this:</P> <P>index=myADdata<BR /> | eval lastLogon = strftime(lastLogonTimestamp/10000000-11644473600,"%m/%d/%Y") <BR /> | where last_logon &lt; (now() - (86400 * 180))<BR /> | table cn lastLogon</P> Wed, 15 Feb 2017 13:59:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-convert-Windows-LDAP-18-digit-lastLogonTimestamp-field-to/m-p/298265#M56434 DPWSplunkPOC 2017-02-15T13:59:17Z