All Apps and Add-ons

Netskope Breach_date calculation

usmsplunksme
Explorer

HI,

In the "Compromised Credential" alert type there is also a field called "breach_date" but the results are not in readable format (e.g 1383436800) is someone please able to assist in calculating this field to a more readable date?

0 Karma

Shan
Builder

Dear @usmsplunksme,

Try below option. Copy and run the code in search head, you will get the solution.
You can use eval command line in your query.

| makeresults
| eval StartTime=strftime("1383436800","%Y/%m/%d %H:%M:%S")
| table StartTime

Thanks ..

0 Karma

usmsplunksme
Explorer

Thanks for the answere that seemed to convert the string to a date and time format. but when i try and convert all entries in the extracted field it fails. my query is:

Search query | eval StartTime=strftime("extracted_field","%Y/%m/%d %H:%M:%S") | table StartTime

0 Karma

Shan
Builder

@usmsplunksme,

Can i see the extracted_field values.
what is the Error your getting, while running the query..

Thanks ..

0 Karma

usmsplunksme
Explorer

HI Shankaranath,

extracted values are:

1325376000

1338508800

1370908800

1439856000
1447286400

1447718400

1448928000

1456185600

1457049600

1457222400

1457654400

1458604800

1460073600

1464739200

1468713600

1470009600

1473206400

1475020800

1475366400

These are supposedly a date.

Thanks for the assistance

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.