Hi All,

I am recently new to SPLUNK and trying to identify a way of doing some time differences. I have done an export for the enabled devices in AD and their last logon times. An example of a result is

HOSTNUMBER1,HOSTNUMBER1.domain.com,Windows Server 2008, 26/10/2017 7:40

From my list I have strung together the following query

index=adlastlogondate AND sourcetype=csv | eval currenttime=strftime(now(),"%d/%m/%Y %H:%M") | eval time=strptime(lastlogondate,"%d/%m/%Y %H:%M") eval timedifference=lastlogontime-today | table hostname time lastlogondate currenttime timedifference | sort time

This generates the following result (NOTE: using "|" to denote columns in the table). Note I get no time difference (which is likely due to this bring a string)

Hostname | time | lastlogondate | currenttime | timedifference

HOSTNUMBER1 | 12114214569.000000 | 25/10/2017 01:00 | 26/10/2017 15:16 |

I tried running this to convert the string into an epoch time(?) to try this but I get the same result

index=adlastlogondate AND sourcetype=csv | eval currenttime=strftime(now(),"%d/%m/%Y %H:%M") | eval time=strptime(lastlogondate,"%d/%m/%Y %H:%M") | convert ctime(time) AS lastlogontime | convert ctime(currenttime) AS today |eval timedifference=lastlogontime-today | table hostname time lastlogondate currenttime timedifference | sort time

Where am I going wrong?