topic Re: last time of user login needs to evaluate in Splunk Search

last time of user login needs to evaluate

deepak_dhankhar — Tue, 20 Jun 2017 10:34:33 GMT

need to evaluate the duration of last time user logged in and time now.
problem I am facing is in lastTime I am getting values like "1473248264"

Re: last time of user login needs to evaluate

gcusello — Tue, 20 Jun 2017 10:40:53 GMT

Hi deepak.dhankhar,
value isin epoch time, to translate it in human readable format you have to convert it:

if you have a date use | eval new_value=strftime(your_value,"%Y-%m-%d.%H:%M:%S")
if you have a duration use | eval duration=tostring(your_value,"duration")

Bye.
Giuseppe

Re: last time of user login needs to evaluate

horsefez — Tue, 20 Jun 2017 10:43:22 GMT

Hi,

you need to use the command strftimeto convert this timeformat into a more human readable.

<yoursearch> | eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")

Re: last time of user login needs to evaluate

deepak_dhankhar — Tue, 20 Jun 2017 10:47:56 GMT

Got the last time in readable format, but still unable to compair it to current time

Re: last time of user login needs to evaluate

niketn — Tue, 20 Jun 2017 10:51:11 GMT

If you just want to change the time from epoch time to human readable string format, you should better use fieldformat which will format the data without changing the underlying data. For calculating the last login duration as compared to current time you can use now() function for getting current time and compare to lastTime (which is epoch time as per your question).

 <Your Base Search>
| eval durationInSec=now()-lastTime
| fieldformat  lastTime=strftime(lastTime,"%c")

You can use your own time format specified, I have used %c as an example for convenience.

Re: last time of user login needs to evaluate

deepak_dhankhar — Tue, 20 Jun 2017 10:54:27 GMT

sorry, I think you didnt got my question correct i think. let me elobrate it for you.

lastTime is the field I am getting the user's last time login time
now with "eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")" I got this is in readable format,
Now I need is the difference between that time and now currrent time.

that will give me the user's has not logged in from that much time, hope I am clear now

Re: last time of user login needs to evaluate

deepak_dhankhar — Tue, 20 Jun 2017 11:12:45 GMT

Thank you so much

Re: last time of user login needs to evaluate

gcusello — Tue, 20 Jun 2017 11:23:27 GMT

hi deepak.dhankhar,
to compair it to current time, you have to:

convert it in epochtime using strptime function in eval command,
compair to current time,
show as duration.

in other words something like this:

| eval your_time=strptime(your_time,"your_format"), duration=tostring(now()-your_time,"duration")

Bye.
Giuseppe

Re: last time of user login needs to evaluate

horsefez — Tue, 20 Jun 2017 12:35:21 GMT

Thanks for the clarification. 🙂