https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687089#M234346 <P>thanks this has worked perfectly.&nbsp;<BR /><BR /></P> Thu, 09 May 2024 19:13:18 GMT PaulaCom 2024-05-09T19:13:18Z https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687033#M234320 <P>Afternoon All</P> <P>i'd like some help please with some SPL logic that i just cant crack <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> <P>I have data on some user in our Active Directory system and i am trying to:</P> <P>create a new column with actions</P> <P>identify those who have no logged in for more than 61 days and is so the action should return "reset password"</P> <P>here's the part that i am having an issue with below. the first two lines are working as expected returning last_logon_total&nbsp; day, month, year</P> <P>i have a new field i created called 'action' that i want to return a value in of those users who have not logged in for more than 61 days.. but i cant get the spl right.<BR /><BR /></P> <LI-CODE lang="markup">| eval epoch_lastLogonTimestamp_date = strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval action = if(last_logon_total = relative_time(), "-61d@d", "reset password")</LI-CODE> <P><BR /><BR /></P> <P>&nbsp;</P> <P>any ideas ?</P> <P>&nbsp;</P> <P>Thanks</P> <P>Paula&nbsp;&nbsp;</P> <P>&nbsp;</P> Thu, 09 May 2024 14:15:08 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687033#M234320 PaulaCom 2024-05-09T14:15:08Z https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687041#M234325 <P>There were a few errors, but this should work.&nbsp; Note I broke out the comparison_date calculation from the eval where you decide if they need to reset or not, to a) make it more clear and b) so you can see the dates/strings it's comparing with.</P><LI-CODE lang="markup">| makeresults format="CSV" data="date 2024-05-09T08:05:00 2024-02-09T08:05:00" | eval epoch_lastLogonTimestamp_date = strptime(date, "%Y-%m-%dT%H:%M:%S") | eval last_logon_total = strftime(epoch_lastLogonTimestamp_date, "%d/%m/%Y") | eval comparison_date = relative_time(now(),"-61d@d") | eval action = if(epoch_lastLogonTimestamp_date &lt;= comparison_date, "reset password", "no change needed")</LI-CODE><P>&nbsp;</P><P>I think the biggest issue was that the epoch date is the only one you need.&nbsp; Do your math on it, work with it.&nbsp; If you need to see it in a more human readable version, you can convert it back at the end.&nbsp; In this case, 'last_logon_total' is simply unused after you build it.</P><P>&nbsp;</P><P>Happy splunking, and if this helped karma would be appreciated!</P><P>-Rich</P> Thu, 09 May 2024 13:50:00 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687041#M234325 Richfez 2024-05-09T13:50:00Z https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687089#M234346 <P>thanks this has worked perfectly.&nbsp;<BR /><BR /></P> Thu, 09 May 2024 19:13:18 GMT https://community.splunk.com/t5/Splunk-Search/using-eval-and-time/m-p/687089#M234346 PaulaCom 2024-05-09T19:13:18Z