Is there a better way to convert the age output in...

kppradhan · ‎03-27-2020

Hello,

I'm attempting to track AWS related password events in my Splunk.

I am sifting through my index and receiving the data I need -- however I am having an issue with converting the "age" from a unix based notation.

I am using the following to determine the age of passwords:

| eval age =_time

My output is as follows:

PasswordLastUsed                                                                            age
018448995162    user    2020-02-14T20:49:08+00:00   1585319203
018448995162    user    2020-02-13T16:59:30+00:00   1585319203

Is there a better way to convert the age output into a more readable format (i.e. days)?

Thanks,

Kiran

woodcock · ‎03-30-2020

Like this:

... | eval age = now() - _time
| fieldformat age = tostring(age, "duration")

richgalloway · ‎03-27-2020

The _time field is the date and time when the event occurred. It's probably not the best choice for password age.

That said, use the strftime function to make epochs readable.

... | eval age = strftime(_time, "%Y-%m-%d %H:%M:S")

You can use the convert command, instead.

... | convert timeformat="%Y-%m-%d %H:%M:S" ctime(_time) as age

---
If this reply helps you, Karma would be appreciated.

Is there a better way to convert the age output into a more readable format (i.e. days)?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

Is there a better way to convert the age output into a more readable format (i.e. days)?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk