Re: Netskope Breach_date calculation

usmsplunksme · ‎06-10-2019

HI,

In the "Compromised Credential" alert type there is also a field called "breach_date" but the results are not in readable format (e.g 1383436800) is someone please able to assist in calculating this field to a more readable date?

lauruss · ‎07-06-2022

Hi there,

I know this post is old but maybe it will help someone else - I am using:

| eval breach_date=strftime(breach_date,"%d/%m/%y")

Shan · ‎06-10-2019

Dear @usmsplunksme,

Try below option. Copy and run the code in search head, you will get the solution.
You can use eval command line in your query.

| makeresults
| eval StartTime=strftime("1383436800","%Y/%m/%d %H:%M:%S")
| table StartTime

Thanks ..

usmsplunksme · ‎06-11-2019

Thanks for the answere that seemed to convert the string to a date and time format. but when i try and convert all entries in the extracted field it fails. my query is:

Search query | eval StartTime=strftime("extracted_field","%Y/%m/%d %H:%M:%S") | table StartTime

Shan · ‎06-12-2019

@usmsplunksme,

Can i see the extracted_field values.
what is the Error your getting, while running the query..

Thanks ..

usmsplunksme · ‎06-12-2019

HI Shankaranath,

extracted values are:

1325376000

1338508800

1370908800

1439856000
1447286400

1447718400

1448928000

1456185600

1457049600

1457222400

1457654400

1458604800

1460073600

1464739200

1468713600

1470009600

1473206400

1475020800

1475366400

These are supposedly a date.

Thanks for the assistance

Help with Netskope Breach_date calculation

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases