I have an ldapsearch that is successfully retrieving multiple AD attributes including the whenCreated attribute. Unfortunately, this field is coming back in this format: YYYYMMDDhhmmss.0Z which I can't seem to get converted into a usable/easily readable format.
I've tried the following:
| convert mktime(whenCreated) - returns a blank field
| convert ctime(whenCreated - returns a blank field
| eval n=round(whenCreated,0) - does not create the new field "n" as would be expected
| convert num(whenCreated) - removes the Z leaving YYYYmmddHHMMSS.0
| convert num(whenCreated) | eval n=round(whenCreated,0)
successfully creates new field "n" with the number in YYYYmmddHHMMSS format, leaving off the ".0Z"
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n)
creates new field "CreatedString" that's a direct copy of "n", assuming in string format.
BUT!
| convert num(whenCreated) | eval n=round(whenCreated,0) | eval CreatedString=tostring(n) | eval WHENCREATED=strptime(CreatedString,"%Y/%m/%d %H:%M:%S")
Does NOT create a new field called "WHENCREATED" as would be expected.
1) Is is possible to adjust the LDAP query to return the whenCreated attribute in a more human-readable format? (I'm very much an LDAP newbie)
2) Why does the last series of convert/eval commands not place the values in the timeformat specified?
Thank you!
This should work
... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
I can't help with LDAP, but this command will parse the whenCreated value in its current form. The convert commands are unnecessary as strptime does all of the required conversions.
eval WHENCREATED=strptime(whenCreated,"%Y%m%d%H%M%S.%1N%Z")
nope.. that just gave me a 10 digit number with 6 decimal points.. Wish it had been that easy!
This should work
... | eval s="20151124092244.0Z" | eval x=strptime(s, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
REALLY CLOSE! Close enough to give me the final clue: Just needed:
| eval x=strptime(whenCreated, "%Y%m%d%H%M%S") | eval t=strftime(x, "%c")
Thank you!