All Apps and Add-ons

Splunk Support for Active Directory: Why is my Active Directory lookup not working using "eval whenCreated=20150803"?

Path Finder


I would like to run a report of Active Directory accounts created in the last 24 hours. I tried different things, but not sure if the eval command takes splunk-style time period (such as -24h) or > yesterday's date. |eval whenCreated=20150803 did not work.

|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval whenCreated=20150803
|table sAMAccountName, displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate
0 Karma


Why don't we lean on the LDAP server for the filtering on userAccountControl and whenCreated? I don't have SA-ldapsearch installed currently however I believe this search should enable you to use the time picker to choose the dates of earliest and latest, and do all filtering in the AD server:

| ldapsearch [noop | stats count | addinfo | foreach *_time [eval <<FIELD>>=strftime(<<FIELD>>,"%Y%m%d%H%M%S.0%z")] | eval search="(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(whenCreated>=".info_min_time.")(whenCreated<=".info_max_time."))" | return search] | table samAccountName ... 

What the heck is going on here? Let's start in the subsearch.

  • noop | stats count | addinfo -> these three commands together effectively create a single result with the information about the selected search time window. noop is the undocumented "do nothing" command, and then use stats to count the nothing.
  • foreach *_time [eval <>=strftime(<>,"%Y%m%d%H%M%S.0%z")] -> We format all of the time variables from the addinfo command to be an appropriate format for an ldap search against the whenCreated attribute. This format is described in this article.
  • eval search="" -> This is where we build the the actual LDAP search we're going to pass to ldapsearch. In addition to the whenCreated and the objectClass filters you may be interested in this article about how we're querying for those accounts with the NORMAL_ACCOUNT bit set.
  • return search -> using the return command to end our subsearch means that we put literally search="(& ... )"(with the actual contents) into the parent search.

Replacing the subsearch with an example of its result we then are left with:

| ldapsearch search="(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(whenCreated>=20150803000000.0-0500)(whenCreated<=20150803195237.0-0500))" | table samAccountName ...

I'm Central US timezone, and my timezone picker was set to 'Today' which now is 7:52pm.

Other notes... ensure the domain parameter is set to the name of the configuration stanza in ldap.conf, You should also consider setting the attrs parameter to pull back only the attributes you want to pull, and ensure that basedn is appropriate in your configuration or set it explicitly as well. But hopefully this (more LDAP than Splunk) answer helps you out!

Esteemed Legend

The syntax of that search should work just fine so the problem is either that the field whenCreated does not exist or that your dataset does not have any events with the value 20150803. You should be able to figure this out by stripping off the end and examining the results of this (smaller) search:

|ldapsearch search="(&(objectclass=user))" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT"
0 Karma