| rest /services/authentication/current-context
| table username roles updated
| search username!=splunk-system-user
| rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+)
| eval timestamp= timestampA + timestampB
| eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”)
| eval timestamp=strftime(timestamp, “%c”)
|fields – timestampA timestampB
Why not just do this?
| rest /services/authentication/current-context
| table username roles updated
| search username!=splunk-system-user
| eval timestamp = strftime(strptime(updated, “%Y-%m-%dT%H:%M:%S.%3N”), “%c”)
| fields timestamp