Converting Active Directory Time Fields

ogdin · ‎09-01-2010

AD stores certain fields like:

pwdLastSet

in a large integer format. How can I convert these to a human readable time format using Splunk?

Examples:

129290832000000000 129278238808929391

ogdin · ‎09-02-2010

Close. Windows uses NT epoch. Below should work.

... | eval human_time=strftime(pwdLastSet/10000000-11644473600,"%Y-%m-%d %H:%M:%S")

ogdin · ‎09-02-2010

Yes. I should have qualified that. This specific field in the AD logs use NT epoch. Thanks.

gkanapathy · ‎09-02-2010

Some parts of Windows uses NT epoch, which are based off 01/01/1601 00:00:00, but others (.NET-based mostly) use MS Ticks, which are 10^-7 seconds since 01/01/0001 00:00:00. (Using which calendar, I do not know.)

gkanapathy · ‎09-01-2010

Looks to me like this, for example, would work:

... | eval human_time=strftime(pwdLastSet/1000000000,"%Y-%m-%d %H:%M:%S")

Converting Active Directory Time Fields

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Converting Active Directory Time Fields

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA