Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to change ldapsearch that is returning whenCreated attribute in an awkward timestamp format?

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 06:12 AM

I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfortunately, this field is coming back in this format: YYYYMMDDhhmmss.0Z which I can't seem to get converted into a usable/easily readable format.

I've tried the following: 

| convert mktime(whenCreated)  - returns a blank field
| convert ctime(whenCreated - returns a blank field
| eval n=round(whenCreated,0)  - does not create the new field "n" as would be expected
| convert num(whenCreated)  - removes the Z leaving YYYYmmddHHMMSS.0
| convert num(whenCreated) | eval n=round(whenCreated,0)

successfully creates new field "n" with the number in YYYYmmddHHMMSS format, leaving off the ".0Z"

| convert num(whenCreated) | eval n=round(whenCreated,0)  | eval CreatedString=tostring(n)

creates new field "CreatedString" that's a direct copy of "n", assuming in string format.

BUT!

| convert num(whenCreated) | eval n=round(whenCreated,0)  | eval CreatedString=tostring(n) | eval WHENCREATED=strptime(CreatedString,"%Y/%m/%d %H:%M:%S")

Does NOT create a new field called "WHENCREATED" as would be expected.

1) Is is possible to adjust the LDAP query to return the whenCreated attribute in a more human-readable format? (I'm very much an LDAP newbie)
2) Why does the last series of convert/eval commands not place the values in the timeformat specified?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 06:32 AM

This should work

... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2015 06:40 AM

I can't help with LDAP, but this command will parse the whenCreated value in its current form. The convert commands are unnecessary as strptime does all of the required conversions.

eval WHENCREATED=strptime(whenCreated,"%Y%m%d%H%M%S.%1N%Z")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 06:59 AM

nope.. that just gave me a 10 digit number with 6 decimal points.. Wish it had been that easy!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 06:32 AM

This should work

... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 07:03 AM

REALLY CLOSE! Close enough to give me the final clue: Just needed:

| eval x=strptime(whenCreated, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...