https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/549907#M156059 <P>hi there- I tried a few things already, but looking to get guidence on this one- I am using the LDAP query module in Splunk to dump out directory information and then present into a simple table, and running into a challenge simplifying extraction of the date from the AD account creation field:</P><P>| ldapsearch basedn="XXXXXXXXXXX" search="(&amp;(objectCategory=user)(objectClass=user)(distinguishedName=*))" attrs="displayName,distinguishedName,mail,lastLogonTimestamp,whenCreated"&nbsp;</P><P>I want to simplify presentation of the two date and time fields:&nbsp; lasLogonTimestamp and whenCreated.</P><P>What I get with these fields today when I output to a table (example)</P><P><SPAN>2019-05-06 16:53:24+00:00</SPAN></P><P>What I want to see:</P><P><SPAN>2019-05-06</SPAN></P><P><SPAN>What I have tried:</SPAN></P><P><SPAN>adding in:</SPAN></P><P><SPAN>| eval Created=strftime(whenCreated,"%Y%m%d") | prior to my table command.</SPAN></P><P>this seems to result in nothing being populated in the new field (I am expecting just a date value) ...I am not sure if the strftime command is correct when it comes to this format of data...</P><P>thoughts welcomed as always</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Apr 2021 20:44:16 GMT daryllj 2021-04-29T20:44:16Z https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/549907#M156059 <P>hi there- I tried a few things already, but looking to get guidence on this one- I am using the LDAP query module in Splunk to dump out directory information and then present into a simple table, and running into a challenge simplifying extraction of the date from the AD account creation field:</P><P>| ldapsearch basedn="XXXXXXXXXXX" search="(&amp;(objectCategory=user)(objectClass=user)(distinguishedName=*))" attrs="displayName,distinguishedName,mail,lastLogonTimestamp,whenCreated"&nbsp;</P><P>I want to simplify presentation of the two date and time fields:&nbsp; lasLogonTimestamp and whenCreated.</P><P>What I get with these fields today when I output to a table (example)</P><P><SPAN>2019-05-06 16:53:24+00:00</SPAN></P><P>What I want to see:</P><P><SPAN>2019-05-06</SPAN></P><P><SPAN>What I have tried:</SPAN></P><P><SPAN>adding in:</SPAN></P><P><SPAN>| eval Created=strftime(whenCreated,"%Y%m%d") | prior to my table command.</SPAN></P><P>this seems to result in nothing being populated in the new field (I am expecting just a date value) ...I am not sure if the strftime command is correct when it comes to this format of data...</P><P>thoughts welcomed as always</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Apr 2021 20:44:16 GMT https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/549907#M156059 daryllj 2021-04-29T20:44:16Z https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/549993#M156076 <P>To convert a timestamp from one string format into another string format you must first convert it into an integer using <FONT face="courier new,courier">strptime</FONT>.</P><LI-CODE lang="markup">| eval Created=strftime(strptime(whenCreated,"%Y-%m-%d %H:%M:%S%:z"),"%Y-%m-%d") | </LI-CODE> Fri, 30 Apr 2021 12:23:08 GMT https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/549993#M156076 richgalloway 2021-04-30T12:23:08Z https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/550033#M156085 <P>Thanks for taking the time out to educate me on this one- works perfectly,&nbsp; I really appreciate you taking a few minutes of your time!</P> Fri, 30 Apr 2021 15:39:08 GMT https://community.splunk.com/t5/Splunk-Search/Date-extraction-command-Question-for-LDAP-dump/m-p/550033#M156085 daryllj 2021-04-30T15:39:08Z