Hi All,
I am recently new to SPLUNK and trying to identify a way of doing some time differences. I have done an export for the enabled devices in AD and their last logon times. An example of a result is
HOSTNUMBER1,HOSTNUMBER1.domain.com,Windows Server 2008, 26/10/2017 7:40
From my list I have strung together the following query
index=adlastlogondate AND sourcetype=csv | eval currenttime=strftime(now(),"%d/%m/%Y %H:%M") | eval time=strptime(lastlogondate,"%d/%m/%Y %H:%M") eval timedifference=lastlogontime-today | table hostname time lastlogondate currenttime timedifference | sort time
This generates the following result (NOTE: using "|" to denote columns in the table). Note I get no time difference (which is likely due to this bring a string)
***************************************************************************************
Hostname | time | lastlogondate | currenttime | timedifference
HOSTNUMBER1 | 12114214569.000000 | 25/10/2017 01:00 | 26/10/2017 15:16 |
***************************************************************************************
I tried running this to convert the string into an epoch time(?) to try this but I get the same result
index=adlastlogondate AND sourcetype=csv | eval currenttime=strftime(now(),"%d/%m/%Y %H:%M") | eval time=strptime(lastlogondate,"%d/%m/%Y %H:%M") | convert ctime(time) AS lastlogontime | convert ctime(currenttime) AS today |eval timedifference=lastlogontime-today | table hostname time lastlogondate currenttime timedifference | sort time
Where am I going wrong?
↧