Re: Can you help me convert the following field to...

joesrepsolc · ‎12-18-2018

I'm stuck trying to figure out the conversion on this time format field from Active Directory data. Hoping someone can assist? I am not sure how do the syntax to deal with the comma and day of the week components... Haven't seen that in Splunk events to date.

I'm trying to convert this to epoch time so I can do math and see how old it is from now()

05:20.55 PM, Mon 12/17/2018

strptime(lastLogonTimestamp, "%H:%M:%S %p %m/%d/%Y") - not working.

Thanks!

Joe

Vijeta · ‎12-18-2018

Try this

strptime(lastLogonTimestamp, "%I:%M:%S %p, %A %m/%d/%Y")

joesrepsolc · ‎12-19-2018

Still not getting anything from either of these tips... Tried %A and %a neither seem to matter.

lastLogonTimestamp value is 12:58.51 PM, Tue 12/11/2018

SEARCH:
index=msad
| head 10
| eval login_time = strptime(lastLogonTimestamp, "%H:%M:%S %p, %a %m/%d/%Y")
| eval timenow = now()
| table lastLogonTimestamp login_time timenow

Vijeta · ‎12-19-2018

Use %I instead of %H for 12 hour format.

whrg · ‎12-19-2018

I see you wrote "12:58.51" (There is one colon and one period instead of two colons.)
So try ""%H:%M.%S ..."

whrg · ‎12-19-2018

I believe it is supposed to be %a instead of %A.
See Date and time format variables

Can you help me convert the following field to epoch time?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...