Solved: last time of user login needs to evaluate

deepak_dhankhar · ‎06-20-2017

need to evaluate the duration of last time user logged in and time now.
problem I am facing is in lastTime I am getting values like "1473248264"

gcusello · ‎06-20-2017

Hi deepak.dhankhar,
value isin epoch time, to translate it in human readable format you have to convert it:

if you have a date use | eval new_value=strftime(your_value,"%Y-%m-%d.%H:%M:%S")
if you have a duration use | eval duration=tostring(your_value,"duration")

Bye.
Giuseppe

View solution in original post

niketn · ‎06-20-2017

If you just want to change the time from epoch time to human readable string format, you should better use fieldformat which will format the data without changing the underlying data. For calculating the last login duration as compared to current time you can use now() function for getting current time and compare to lastTime (which is epoch time as per your question).

 <Your Base Search>
| eval durationInSec=now()-lastTime
| fieldformat  lastTime=strftime(lastTime,"%c")

You can use your own time format specified, I have used %c as an example for convenience.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

deepak_dhankhar · ‎06-20-2017

Thank you so much

horsefez · ‎06-20-2017

Hi,

you need to use the command strftimeto convert this timeformat into a more human readable.

<yoursearch> | eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")

deepak_dhankhar · ‎06-20-2017

sorry, I think you didnt got my question correct i think. let me elobrate it for you.

lastTime is the field I am getting the user's last time login time
now with "eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")" I got this is in readable format,
Now I need is the difference between that time and now currrent time.

that will give me the user's has not logged in from that much time, hope I am clear now

horsefez · ‎06-20-2017

Thanks for the clarification. 🙂

gcusello · ‎06-20-2017

Hi deepak.dhankhar,
value isin epoch time, to translate it in human readable format you have to convert it:

if you have a date use | eval new_value=strftime(your_value,"%Y-%m-%d.%H:%M:%S")
if you have a duration use | eval duration=tostring(your_value,"duration")

Bye.
Giuseppe

deepak_dhankhar · ‎06-20-2017

Got the last time in readable format, but still unable to compair it to current time

gcusello · ‎06-20-2017

hi deepak.dhankhar,
to compair it to current time, you have to:

convert it in epochtime using strptime function in eval command,
compair to current time,
show as duration.

in other words something like this:

| eval your_time=strptime(your_time,"your_format"), duration=tostring(now()-your_time,"duration")

Bye.
Giuseppe

last time of user login needs to evaluate

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases