Solved: How to convert a field containing number of days s...

kalianov · ‎06-21-2016

Hi.

I have a monitor of "/etc/shadow" file with last password change field lastchange in days (example lastchange=16937). It's a number of days from 01/01/1970
I need to determine the date of last password change of a user.
I want to do something like: 01.01.1970+lastchange=last_password_change_date
How to do that?

jkat54 · ‎06-21-2016

There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.

... eval epochTime=lastchange*86400 ...

Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:

... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...

View solution in original post

jkat54 · ‎06-21-2016

There are 86400 seconds per day. "Epoch time" is seconds since 1/1/1970 GMT. Therefore you want to multiply days since 1/1/1970 by 86400.

... eval epochTime=lastchange*86400 ...

Once you have epoch time you can use "convert ctime(epochTime)" to change to human readable dates like this:

... | eval epochTime=lastchange*86400 | convert ctime(epochTime) |...

kalianov · ‎06-21-2016

Thanks a lot. It's working

jkat54 · ‎06-21-2016

Anytime! Thanks for marking as your answer!

james_n · ‎04-08-2020

@jkat54 , could you please help me on this, I have filed which contains number of days, i,e. days=20098 i,e 2020 jan 1st onwards. 98 days means April 7th 2020 like that. i need to convert these numbers to date.

to4kawa · ‎04-09-2020

| makeresults 
| eval days=20098
| eval days_hr=strptime(days,"%y%j")
| eval check = strftime(days_hr,"%c")

@james_n try this.

How to convert a field containing number of days since 01/01/1970 to a human readable date?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor