Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Date extraction command Question for LDAP dump

daryllj
Path Finder
‎04-29-2021 01:44 PM

hi there- I tried a few things already, but looking to get guidence on this one- I am using the LDAP query module in Splunk to dump out directory information and then present into a simple table, and running into a challenge simplifying extraction of the date from the AD account creation field:

| ldapsearch basedn="XXXXXXXXXXX" search="(&(objectCategory=user)(objectClass=user)(distinguishedName=*))" attrs="displayName,distinguishedName,mail,lastLogonTimestamp,whenCreated" 

I want to simplify presentation of the two date and time fields:  lasLogonTimestamp and whenCreated.

What I get with these fields today when I output to a table (example)

2019-05-06 16:53:24+00:00

What I want to see:

2019-05-06

What I have tried:

adding in:

| eval Created=strftime(whenCreated,"%Y%m%d") | prior to my table command.

this seems to result in nothing being populated in the new field (I am expecting just a date value) ...I am not sure if the strftime command is correct when it comes to this format of data...

thoughts welcomed as always

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-30-2021 05:23 AM

To convert a timestamp from one string format into another string format you must first convert it into an integer using strptime.

| eval Created=strftime(strptime(whenCreated,"%Y-%m-%d %H:%M:%S%:z"),"%Y-%m-%d") |
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

daryllj
Path Finder
‎04-30-2021 08:39 AM

Thanks for taking the time out to educate me on this one- works perfectly,  I really appreciate you taking a few minutes of your time!

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-30-2021 05:23 AM

To convert a timestamp from one string format into another string format you must first convert it into an integer using strptime.

| eval Created=strftime(strptime(whenCreated,"%Y-%m-%d %H:%M:%S%:z"),"%Y-%m-%d") |
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...