i have the last sync time for my activesync clients going to splunk via powershell input.
LastSyncAttemptTime = 04/07/2016 21:49:08
this produces a text field that is not sortable or useable.
i tried to convert it using:
| eval lastSync=strptime(LastSyncAttemptTime,"%x %T") | table lastSync
with no luck. i have tired numerous variations of %codes to list the date and time, and a few variations produce a decimal value.
my end goal here is to look for clients that last synced over 30 days ago.
you can try this instead:
| eval lastSync=strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S")
Hope this helps ...
which looks like it converted it into epoch time. convert again?
this seems to be working to generate the field in human readable format
lastSync=strftime(strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S"),"%m/%d/%y %H:%M:%S")
what i realized is to finish the rest of the search it was easier to leave it in epoch time. use this for now:
| eval lastSync=strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S") | eval lastsyncbad = relative_time(now(), "-30d" ) | where lastSync < lastsyncbad
there might be a more effective method but this works.