Hi.
I have a monitor of "/etc/shadow" file with last password change field lastchange in days (example lastchange=16937). It's a number of days from 01/01/1970
I need to determine the date of last password change of a user.
I want to do something like: 01.01.1970+lastchange=last_password_change_date
How to do that?
There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.
... eval epochTime=lastchange*86400 ...
Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:
... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...
There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.
... eval epochTime=lastchange*86400 ...
Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:
... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...
Thanks a lot. It's working
Anytime! Thanks for marking as your answer!
@jkat54 , could you please help me on this, I have filed which contains number of days, i,e. days=20098 i,e 2020 jan 1st onwards. 98 days means April 7th 2020 like that. i need to convert these numbers to date.
| makeresults
| eval days=20098
| eval days_hr=strptime(days,"%y%j")
| eval check = strftime(days_hr,"%c")
@james_n try this.