Getting Data In

Is there a better way to convert the age output into a more readable format (i.e. days)?

New Member


I'm attempting to track AWS related password events in my Splunk.

I am sifting through my index and receiving the data I need -- however I am having an issue with converting the "age" from a unix based notation.

I am using the following to determine the age of passwords:

| eval age =_time   

My output is as follows:

PasswordLastUsed                                                                            age
018448995162    user    2020-02-14T20:49:08+00:00   1585319203
018448995162    user    2020-02-13T16:59:30+00:00   1585319203

Is there a better way to convert the age output into a more readable format (i.e. days)?


  • Kiran
0 Karma

Esteemed Legend

Like this:

... | eval age = now() - _time
| fieldformat age = tostring(age, "duration")
0 Karma


The _time field is the date and time when the event occurred. It's probably not the best choice for password age.

That said, use the strftime function to make epochs readable.

... | eval age = strftime(_time, "%Y-%m-%d %H:%M:S")

You can use the convert command, instead.

... | convert timeformat="%Y-%m-%d %H:%M:S" ctime(_time) as age
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...