Converting Active Directory Time Fields

ogdin · ‎09-01-2010

AD stores certain fields like:

pwdLastSet

in a large integer format. How can I convert these to a human readable time format using Splunk?

Examples:

129290832000000000 129278238808929391

ogdin · ‎09-02-2010

Close. Windows uses NT epoch. Below should work.

... | eval human_time=strftime(pwdLastSet/10000000-11644473600,"%Y-%m-%d %H:%M:%S")

ogdin · ‎09-02-2010

Yes. I should have qualified that. This specific field in the AD logs use NT epoch. Thanks.

gkanapathy · ‎09-02-2010

Some parts of Windows uses NT epoch, which are based off 01/01/1601 00:00:00, but others (.NET-based mostly) use MS Ticks, which are 10^-7 seconds since 01/01/0001 00:00:00. (Using which calendar, I do not know.)

gkanapathy · ‎09-01-2010

Looks to me like this, for example, would work:

... | eval human_time=strftime(pwdLastSet/1000000000,"%Y-%m-%d %H:%M:%S")

Converting Active Directory Time Fields

Best of Community @.conf20 Humans That Splunk: Meet Abhishek... Humans That Splunk: Meet Guiseppe... Visit our Community Blog >

Best of Community @.conf20
Humans That Splunk: Meet Abhishek...
Humans That Splunk: Meet Guiseppe...

Visit our Community Blog >