i have the last sync time for my activesync clients going to splunk via powershell input.
LastSyncAttemptTime = 04/07/2016 21:49:08
this produces a text field that is not sortable or useable.
i tried to convert it using:
| eval lastSync=strptime(LastSyncAttemptTime,"%x %T") | table lastSync
with no luck. i have tired numerous variations of %codes to list the date and time, and a few variations produce a decimal value.
my end goal here is to look for clients that last synced over 30 days ago.
this seems to be working to generate the field in human readable format
lastSync=strftime(strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S"),"%m/%d/%y %H:%M:%S")
what i realized is to finish the rest of the search it was easier to leave it in epoch time. use this for now:
| eval lastSync=strptime(LastSyncAttemptTime, "%m/%d/%Y %H:%M:%S") | eval lastsyncbad = relative_time(now(), "-30d" ) | where lastSync < lastsyncbad
there might be a more effective method but this works.