Can you help me convert the following field to epo...

joesrepsolc · ‎12-18-2018

I'm stuck trying to figure out the conversion on this time format field from Active Directory data. Hoping someone can assist? I am not sure how do the syntax to deal with the comma and day of the week components... Haven't seen that in Splunk events to date.

I'm trying to convert this to epoch time so I can do math and see how old it is from now()

05:20.55 PM, Mon 12/17/2018

strptime(lastLogonTimestamp, "%H:%M:%S %p %m/%d/%Y") - not working.

Thanks!

Joe

Vijeta · ‎12-18-2018

Try this

strptime(lastLogonTimestamp, "%I:%M:%S %p, %A %m/%d/%Y")

joesrepsolc · ‎12-19-2018

Still not getting anything from either of these tips... Tried %A and %a neither seem to matter.

lastLogonTimestamp value is 12:58.51 PM, Tue 12/11/2018

SEARCH:
index=msad
| head 10
| eval login_time = strptime(lastLogonTimestamp, "%H:%M:%S %p, %a %m/%d/%Y")
| eval timenow = now()
| table lastLogonTimestamp login_time timenow

Vijeta · ‎12-19-2018

Use %I instead of %H for 12 hour format.

whrg · ‎12-19-2018

I see you wrote "12:58.51" (There is one colon and one period instead of two colons.)
So try ""%H:%M.%S ..."

whrg · ‎12-19-2018

I believe it is supposed to be %a instead of %A.
See Date and time format variables

Can you help me convert the following field to epoch time?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Can you help me convert the following field to epoch time?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!