https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146306#M40866 <P>ah correct. perfect that works well. Thanks for your quick help. Appreciate it !</P> Tue, 29 Apr 2014 19:07:19 GMT saurabhkunte 2014-04-29T19:07:19Z https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146302#M40862 <P>Hello All,<BR /> I am hoping one of you can help me out with the following:<BR /> I have a Powershell script which is displaying the output of all Active Directory Server objects and indexing to Splunk which works well. The output is getting indexed in the following format:<BR /> output :</P> <P>2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"<BR /> 2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"</P> <P>this script runs everyday and indexes the ad export list to splunk.</P> <P>What i want to achieve is to have a report setup to list all new AD objects that got created Current Date -1 day, Current Date - 7 days. i can use the " Created" date field to calculate this. However when I try to convert this field to epoch time and then compare it against timenow, I do not get any results. Can any body provide me with the correct query on how to achieve these reports ?</P> <P>Thank you.<BR /> S</P> Tue, 29 Apr 2014 18:31:31 GMT https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146302#M40862 saurabhkunte 2014-04-29T18:31:31Z https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146303#M40863 <P>Try this</P> <PRE><CODE>your base search | eval report_cutoff=relative_time(now(),"-1d") | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(Created) | where Created &gt; report_cutoff </CODE></PRE> Tue, 29 Apr 2014 18:47:02 GMT https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146303#M40863 somesoni2 2014-04-29T18:47:02Z https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146304#M40864 <P>Thanks for your reply.<BR /> This returns no results and I know for sure i had the above 2 AD objects created yesterday and listed under Created Field. Any other ideas please ?</P> Tue, 29 Apr 2014 18:54:53 GMT https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146304#M40864 saurabhkunte 2014-04-29T18:54:53Z https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146305#M40865 <P>-1d goes back exactly 24 hrs back (e.g if its 4/29 2 PM now, then it goes back to 4/28 2 PM). Change it to -1d@d to see AD groups created since Yesterday Midnight (4/28 12 AM)</P> Tue, 29 Apr 2014 19:06:53 GMT https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146305#M40865 somesoni2 2014-04-29T19:06:53Z https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146306#M40866 <P>ah correct. perfect that works well. Thanks for your quick help. Appreciate it !</P> Tue, 29 Apr 2014 19:07:19 GMT https://community.splunk.com/t5/Splunk-Search/Date-Field-calculations-help/m-p/146306#M40866 saurabhkunte 2014-04-29T19:07:19Z