All Apps and Add-ons

How to edit my ldapsearch to find a user's last login age (lastLogonTimestamp - current time)?

maclel
Engager

Hi,

With an LDAP search (ldapsearch), how do I go about getting a user's lastLogonTimestamp minus the current time (of search), in say days. i.e. someone hasn't logged in since 2016-06-02T00:00:00.000000Z is roughly 60 days...

Current search is:

| ldapsearch domain=internal search="(&(objectclass=user)(!(objectClass=computer)))" limit=10 attrs="sAMAccountName, displayName, distinguishedName, userAccountControl, whenCreated, accountExpires, lastLogonTimestamp"
| makemv userAccountControl
| search dn!="*OU=_Disabled Users*"
| eval accountDisable=if(userAccountControl == "ACCOUNTDISABLE
NORMAL_ACCOUNT", "Yes", "No")
| eval dontExpirePasswd=if(userAccountControl="DONT_EXPIRE_PASSWD
NORMAL_ACCOUNT", "Yes", "No")
| eval passwdNotRequired=if(userAccountControl == "PASSWD_NOTREQD
NORMAL_ACCOUNT", "Yes", "No")
| eval lastLoginAge=(lastLogonTimestamp - now())
| table sAMAccountName, displayName, dn, userAccountControl, whenCreated, accountDisable, dontExpirePasswd, passwdNotRequired, lastLoginAge, lastLogonTimestamp, accountExpires

Just not sure which eval time function command to use.

Environment:
Linux 6.3.3 Splunk Enterprise servers
MSInfra 1.3.0
SA-ldapsearch 2.1.3
Splunk Add-on for Microsoft Active Directory 1.0.0 (deployed to a couple DCs via UFs)

0 Karma
1 Solution

sundareshr
Legend

For time compares, you have to first convert the time to epoch format (seconds). The difference between two times, is always in seconds. So, to get the time in days, you can divide by 86400 (secs per day)

| ldapsearch domain=internal search="(&(objectclass=user)(!(objectClass=computer)))" limit=10 attrs="sAMAccountName, displayName, distinguishedName, userAccountControl, whenCreated, accountExpires, lastLogonTimestamp"
 | makemv userAccountControl
 | search dn!="*OU=_Disabled Users*"
 | eval accountDisable=if(userAccountControl == "ACCOUNTDISABLE
 NORMAL_ACCOUNT", "Yes", "No")
 | eval dontExpirePasswd=if(userAccountControl="DONT_EXPIRE_PASSWD
 NORMAL_ACCOUNT", "Yes", "No")
 | eval passwdNotRequired=if(userAccountControl == "PASSWD_NOTREQD
 NORMAL_ACCOUNT", "Yes", "No")
| eval lastLoginAge_epoch=strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S")
 | eval lastLoginAge=round((lastLoginAge_epoch - now())/86400, 0)
 | table sAMAccountName, displayName, dn, userAccountControl, whenCreated, accountDisable, dontExpirePasswd, passwdNotRequired, lastLoginAge, lastLogonTimestamp, accountExpires

View solution in original post

sundareshr
Legend

For time compares, you have to first convert the time to epoch format (seconds). The difference between two times, is always in seconds. So, to get the time in days, you can divide by 86400 (secs per day)

| ldapsearch domain=internal search="(&(objectclass=user)(!(objectClass=computer)))" limit=10 attrs="sAMAccountName, displayName, distinguishedName, userAccountControl, whenCreated, accountExpires, lastLogonTimestamp"
 | makemv userAccountControl
 | search dn!="*OU=_Disabled Users*"
 | eval accountDisable=if(userAccountControl == "ACCOUNTDISABLE
 NORMAL_ACCOUNT", "Yes", "No")
 | eval dontExpirePasswd=if(userAccountControl="DONT_EXPIRE_PASSWD
 NORMAL_ACCOUNT", "Yes", "No")
 | eval passwdNotRequired=if(userAccountControl == "PASSWD_NOTREQD
 NORMAL_ACCOUNT", "Yes", "No")
| eval lastLoginAge_epoch=strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S")
 | eval lastLoginAge=round((lastLoginAge_epoch - now())/86400, 0)
 | table sAMAccountName, displayName, dn, userAccountControl, whenCreated, accountDisable, dontExpirePasswd, passwdNotRequired, lastLoginAge, lastLogonTimestamp, accountExpires
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...