Splunk Search

How to convert a field containing number of days since 01/01/1970 to a human readable date?

kalianov
Path Finder

Hi.

I have a monitor of "/etc/shadow" file with last password change field lastchange in days (example lastchange=16937). It's a number of days from 01/01/1970
I need to determine the date of last password change of a user.
I want to do something like: 01.01.1970+lastchange=last_password_change_date
How to do that?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.

... eval epochTime=lastchange*86400 ...

Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:

... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...

View solution in original post

jkat54
SplunkTrust
SplunkTrust

There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.

... eval epochTime=lastchange*86400 ...

Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:

... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...

kalianov
Path Finder

Thanks a lot. It's working

0 Karma

jkat54
SplunkTrust
SplunkTrust

Anytime! Thanks for marking as your answer!

0 Karma

james_n
Path Finder

@jkat54 , could you please help me on this, I have filed which contains number of days, i,e. days=20098 i,e 2020 jan 1st onwards. 98 days means April 7th 2020 like that. i need to convert these numbers to date.

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval days=20098
| eval days_hr=strptime(days,"%y%j")
| eval check = strftime(days_hr,"%c")

@james_n try this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...