I'm attempting to track AWS related password events in my Splunk.
I am sifting through my index and receiving the data I need -- however I am having an issue with converting the "age" from a unix based notation.
I am using the following to determine the age of passwords:
| eval age =_time
My output is as follows:
018448995162 user 2020-02-14T20:49:08+00:00 1585319203
018448995162 user 2020-02-13T16:59:30+00:00 1585319203
Is there a better way to convert the age output into a more readable format (i.e. days)?
The _time field is the date and time when the event occurred. It's probably not the best choice for password age.
That said, use the strftime function to make epochs readable.
... | eval age = strftime(_time, "%Y-%m-%d %H:%M:S")
You can use the convert command, instead.
... | convert timeformat="%Y-%m-%d %H:%M:S" ctime(_time) as age
... | eval age = now() - _time
| fieldformat age = tostring(age, "duration")