Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert Windows LDAP 18 digit lastLogonTimestamp field to human readable format?

DPWSplunkPOC
Explorer
‎02-14-2017 08:21 AM

I've seen lots of different solutions for converting time from epoch but I have not come across a solution that works to convert the Windows LDAP 18-digit lastLogonTimestamp field. How do I convert this field to a human readable field?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-14-2017 09:16 AM

You can use following formula to convert LDAP/FILETIME timestamps to human readable date in Splunk. See this runanywhere sample

| gentimes start=-1 | eval time=131315659450000000 | eval time_s=(time/10000000)-11644473600 | eval time_human=strftime(time_s,"%+")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-14-2017 09:16 AM

You can use following formula to convert LDAP/FILETIME timestamps to human readable date in Splunk. See this runanywhere sample

| gentimes start=-1 | eval time=131315659450000000 | eval time_s=(time/10000000)-11644473600 | eval time_human=strftime(time_s,"%+")
Reply
Solved! Jump to solution

DPWSplunkPOC
Explorer
‎02-15-2017 05:59 AM

Thank you for your answer

This worked and gave me an easy to read output from my AD data. I need to take it a step further. I need to look for users that have not logged in for 6 months.

My search looks like this:

index=myADdata
| eval lastLogon = strftime(lastLogonTimestamp/10000000-11644473600,"%m/%d/%Y")
| where last_logon < (now() - (86400 * 180))
| table cn lastLogon

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2017 08:30 AM

Hi DPWSplunkPOC
did you tried?

eval TimeStamp=strftime(_time,"%d/%m/%Y %H.%M.%S")

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DPWSplunkPOC
Explorer
‎02-14-2017 08:37 AM

Yes I have. This does not work for Windows LDAP time stamps because Active Directory stores date/time values as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 until the date/time that is being stored according to MS technet.

If Windows used epoch in LDAP, that eval would work.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2017 08:43 AM

did you tried

eval TimeStamp=strftime(_time/100,"%d/%m/%Y %H.%M.%S")

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...