Getting Data In

Converting Active Directory Time Fields

Splunk Employee
Splunk Employee

AD stores certain fields like:

pwdLastSet

in a large integer format. How can I convert these to a human readable time format using Splunk?

Examples:

129290832000000000 129278238808929391

Splunk Employee
Splunk Employee

Close. Windows uses NT epoch. Below should work.

... | eval human_time=strftime(pwdLastSet/10000000-11644473600,"%Y-%m-%d %H:%M:%S")

Splunk Employee
Splunk Employee

Yes. I should have qualified that. This specific field in the AD logs use NT epoch. Thanks.

0 Karma

Splunk Employee
Splunk Employee

Some parts of Windows uses NT epoch, which are based off 01/01/1601 00:00:00, but others (.NET-based mostly) use MS Ticks, which are 10^-7 seconds since 01/01/0001 00:00:00. (Using which calendar, I do not know.)

0 Karma

Splunk Employee
Splunk Employee

Looks to me like this, for example, would work:

... | eval human_time=strftime(pwdLastSet/1000000000,"%Y-%m-%d %H:%M:%S")
0 Karma