Converting Active Directory Time Fields

ogdin · ‎09-01-2010

AD stores certain fields like:

pwdLastSet

in a large integer format. How can I convert these to a human readable time format using Splunk?

Examples:

129290832000000000 129278238808929391

ogdin · ‎09-02-2010

Close. Windows uses NT epoch. Below should work.

... | eval human_time=strftime(pwdLastSet/10000000-11644473600,"%Y-%m-%d %H:%M:%S")

ogdin · ‎09-02-2010

Yes. I should have qualified that. This specific field in the AD logs use NT epoch. Thanks.

gkanapathy · ‎09-02-2010

Some parts of Windows uses NT epoch, which are based off 01/01/1601 00:00:00, but others (.NET-based mostly) use MS Ticks, which are 10^-7 seconds since 01/01/0001 00:00:00. (Using which calendar, I do not know.)

gkanapathy · ‎09-01-2010

Looks to me like this, for example, would work:

... | eval human_time=strftime(pwdLastSet/1000000000,"%Y-%m-%d %H:%M:%S")

Converting Active Directory Time Fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

Converting Active Directory Time Fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience