AD stores certain fields like:
in a large integer format. How can I convert these to a human readable time format using Splunk?
Close. Windows uses NT epoch. Below should work.
... | eval human_time=strftime(pwdLastSet/10000000-11644473600,"%Y-%m-%d %H:%M:%S")
Yes. I should have qualified that. This specific field in the AD logs use NT epoch. Thanks.
Some parts of Windows uses NT epoch, which are based off 01/01/1601 00:00:00, but others (.NET-based mostly) use MS Ticks, which are 10^-7 seconds since 01/01/0001 00:00:00. (Using which calendar, I do not know.)
Looks to me like this, for example, would work:
... | eval human_time=strftime(pwdLastSet/1000000000,"%Y-%m-%d %H:%M:%S")