https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682971#M233279 <P>Minor point, but the number of seconds in a day is 86400, not 86000.</P> Wed, 03 Apr 2024 07:38:57 GMT bowesmana 2024-04-03T07:38:57Z https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682738#M233239 <P>I have a dataset of user data including the user's LastLogin. The LastLogin field is slightly oddly formatted but very regular in it's pattern. I wish to calculate the number of days since LastLogin. This should be super simple.</P><P>What is bizarre is that in a contrived example using <STRONG>makeresults</STRONG> it works perfectly.</P><P>&nbsp;</P><LI-CODE lang="python">| makeresults | eval LastLogin="Mar 20, 2024, 16:40" | eval lastactive=strptime(LastLogin, "%b %d, %Y, %H:%M") | eval dayslastactive=round((now() - lastactive) / 86000, 0)</LI-CODE><P>&nbsp;</P><P>This yields:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-04-02_13-46-05.png" style="width: 526px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30015i84E3A5914AC258A5/image-dimensions/526x25?v=v2" width="526" height="25" role="button" title="2024-04-02_13-46-05.png" alt="2024-04-02_13-46-05.png" /></span></P><P>But with the <STRONG>actual</STRONG> results the same transformations do not work.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">| inputlookup MSOLUsers | where match(onPremisesDistinguishedName, "OU=Users") | where not isnull(LastLogin) | eval LastActive=strptime(LastLogin, "%b %d, %Y, %H:%M") | eval DaysLastActive=round((now() - LastActive) / 86000, 0) | fields Company, Department, DisplayName, LastLogin, LastActive, DaysLastActive</LI-CODE><P>&nbsp;</P><P>This yields:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-04-02_13-50-23.png" style="width: 611px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30017i187D25EC4D8534C2/image-dimensions/611x97?v=v2" width="611" height="97" role="button" title="2024-04-02_13-50-23.png" alt="2024-04-02_13-50-23.png" /></span></P><P>What am I missing? Cutting and pasting the strings into the <STRONG>makeresults</STRONG> form gives what I would expect.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 02 Apr 2024 12:53:12 GMT https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682738#M233239 raoul 2024-04-02T12:53:12Z https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682959#M233275 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1640">@raoul</a>,</P><P>Maybe spaces in your LastLogin field are unprintable characters. Can you try below query which cleans all whitespace?</P><LI-CODE lang="markup">| inputlookup MSOLUsers | where match(onPremisesDistinguishedName, "OU=Users") | where not isnull(LastLogin) | eval LastLogin=replace(LastLogin,"[^A-Za-z0-9,:]+","") | eval LastActive=strptime(LastLogin, "%b%d,%Y,%H:%M") | eval DaysLastActive=round((now() - LastActive) / 86000, 0) | fields Company, Department, DisplayName, LastLogin, LastActive, DaysLastActive</LI-CODE> Wed, 03 Apr 2024 05:19:27 GMT https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682959#M233275 scelikok 2024-04-03T05:19:27Z https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682971#M233279 <P>Minor point, but the number of seconds in a day is 86400, not 86000.</P> Wed, 03 Apr 2024 07:38:57 GMT https://community.splunk.com/t5/Splunk-Search/strptime-works-when-using-makeresults-but-not-with-actual/m-p/682971#M233279 bowesmana 2024-04-03T07:38:57Z