I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfortunately, this field is coming back in this format: YYYYMMDDhhmmss.0Z which I can't seem to get converted into a usable/easily readable format.
I've tried the following:
| convert mktime(whenCreated) - returns a blank field | convert ctime(whenCreated - returns a blank field | eval n=round(whenCreated,0) - does not create the new field "n" as would be expected | convert num(whenCreated) - removes the Z leaving YYYYmmddHHMMSS.0 | convert num(whenCreated) | eval n=round(whenCreated,0)
successfully creates new field "n" with the number in YYYYmmddHHMMSS format, leaving off the ".0Z"
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n)
creates new field "CreatedString" that's a direct copy of "n", assuming in string format.
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n) | eval WHENCREATED=strptime(CreatedString,"%Y/%m/%d %H:%M:%S")
Does NOT create a new field called "WHENCREATED" as would be expected.
1) Is is possible to adjust the LDAP query to return the whenCreated attribute in a more human-readable format? (I'm very much an LDAP newbie)
2) Why does the last series of convert/eval commands not place the values in the timeformat specified?
This should work
... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
REALLY CLOSE! Close enough to give me the final clue: Just needed:
| eval x=strptime(whenCreated, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
I can't help with LDAP, but this command will parse the whenCreated value in its current form. The convert commands are unnecessary as strptime does all of the required conversions.
nope.. that just gave me a 10 digit number with 6 decimal points.. Wish it had been that easy!