Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change ldapsearch that is returning whenCreated attribute in an awkward timestamp format?

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 06:12 AM

I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfortunately, this field is coming back in this format: YYYYMMDDhhmmss.0Z which I can't seem to get converted into a usable/easily readable format.

I've tried the following: 

| convert mktime(whenCreated)  - returns a blank field
| convert ctime(whenCreated - returns a blank field
| eval n=round(whenCreated,0)  - does not create the new field "n" as would be expected
| convert num(whenCreated)  - removes the Z leaving YYYYmmddHHMMSS.0
| convert num(whenCreated) | eval n=round(whenCreated,0)

successfully creates new field "n" with the number in YYYYmmddHHMMSS format, leaving off the ".0Z"

| convert num(whenCreated) | eval n=round(whenCreated,0)  | eval CreatedString=tostring(n)

creates new field "CreatedString" that's a direct copy of "n", assuming in string format.

BUT!

| convert num(whenCreated) | eval n=round(whenCreated,0)  | eval CreatedString=tostring(n) | eval WHENCREATED=strptime(CreatedString,"%Y/%m/%d %H:%M:%S")

Does NOT create a new field called "WHENCREATED" as would be expected.

1) Is is possible to adjust the LDAP query to return the whenCreated attribute in a more human-readable format? (I'm very much an LDAP newbie)
2) Why does the last series of convert/eval commands not place the values in the timeformat specified?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 06:32 AM

This should work

... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2015 06:40 AM

I can't help with LDAP, but this command will parse the whenCreated value in its current form. The convert commands are unnecessary as strptime does all of the required conversions.

eval WHENCREATED=strptime(whenCreated,"%Y%m%d%H%M%S.%1N%Z")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 06:59 AM

nope.. that just gave me a 10 digit number with 6 decimal points.. Wish it had been that easy!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-24-2015 06:32 AM

This should work

... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎11-24-2015 07:03 AM

REALLY CLOSE! Close enough to give me the final clue: Just needed:

| eval x=strptime(whenCreated, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...