Thanks so much for the answers; they helped me get close.
I finally figured out the problem. The way we handle LDAP timestamps in our instance is that they are strings, and I had to reconstruct them. We have two timestamps, and even though they appear to have the same syntax in the output view, they have different characters.
As was suggested I used strptime to get epoch time. I also learned that if you want to subtract _time from a variable, you need to assign it to a variable.
| ldapsearch domain=ED search="(&(objectClass=eduPerson)(weillCornellEduCWID=xyz))" attrs="ID,createTimestamp,modifyTimestamp"
| eval z = substr(createTimestamp,1,4) . "-" . substr(createTimestamp,5,2) . "-" . substr(createTimestamp,7,2) . " " . substr(createTimestamp,9,2) . ":" . substr(createTimestamp,11,2) . ":" . substr(createTimestamp,13,2)
| eval q = substr(modifyTimestamp,1,4) . "-" . substr(modifyTimestamp,6,2) . "-" . substr(modifyTimestamp,9,2) . " " . substr(modifyTimestamp,12,2) . ":" . substr(modifyTimestamp,15,2) . ":" . substr(modifyTimestamp,18,2)
| eval createTime=strptime(z,"%Y-%m-%d %H:%M:%S")
| eval modifyTime=strptime(q,"%Y-%m-%d %H:%M:%S")
| eval systemTime=_time
| eval createDiff = systemTime - createTime
| eval modifyDiff = systemTime - modifyTime
| fields - _*
| fields ID, systemTime, createTime, modifyTime, createDiff, modifyDiff, z, q
I hope this is helpful to someone else.
... View more