I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfortunately, this field is coming back in this format: YYYYMMDDhhmmss.0Z which I can't seem to get converted into a usable/easily readable format.
I've tried the following:
| convert mktime(whenCreated) - returns a blank field | convert ctime(whenCreated - returns a blank field | eval n=round(whenCreated,0) - does not create the new field "n" as would be expected | convert num(whenCreated) - removes the Z leaving YYYYmmddHHMMSS.0 | convert num(whenCreated) | eval n=round(whenCreated,0)
successfully creates new field "n" with the number in YYYYmmddHHMMSS format, leaving off the ".0Z"
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n)
creates new field "CreatedString" that's a direct copy of "n", assuming in string format.
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n) | eval WHENCREATED=strptime(CreatedString,"%Y/%m/%d %H:%M:%S")
Does NOT create a new field called "WHENCREATED" as would be expected.
1) Is is possible to adjust the LDAP query to return the whenCreated attribute in a more human-readable format? (I'm very much an LDAP newbie)
2) Why does the last series of convert/eval commands not place the values in the timeformat specified?
I can't help with LDAP, but this command will parse the whenCreated value in its current form. The convert commands are unnecessary as strptime does all of the required conversions.