In the "Compromised Credential" alert type there is also a field called "breach_date" but the results are not in readable format (e.g 1383436800) is someone please able to assist in calculating this field to a more readable date?
I know this post is old but maybe it will help someone else - I am using:
| eval breach_date=strftime(breach_date,"%d/%m/%y")
Try below option. Copy and run the code in search head, you will get the solution.
You can use eval command line in your query.
| makeresults | eval StartTime=strftime("1383436800","%Y/%m/%d %H:%M:%S") | table StartTime
Thanks for the answere that seemed to convert the string to a date and time format. but when i try and convert all entries in the extracted field it fails. my query is:
Search query | eval StartTime=strftime("extracted_field","%Y/%m/%d %H:%M:%S") | table StartTime
Can i see the extracted_field values.
what is the Error your getting, while running the query..
extracted values are:
These are supposedly a date.
Thanks for the assistance