Solved: Time-based Comparisons on data field

erstexas · ‎07-08-2013

I'm working with the Active Directory app and I am trying to parse and filter on a certain field and I just cannot get this working correctly. Searching the forums has helped me put together the query that I think should work but it does not. The raw data format in the badPasswordTime field is this:

badPasswordTime=07:33.57 AM, Mon 07/08/2013

The following query is what I put together and prints a table with the correct badPasswordDate = 07/08/2013 formatting but does not work when trying to view ONLY the events dated (not logged) within 2 days:

sourcetype="ActiveDirectory" "CN=Person" badPwdCount >= 2 | dedup name | eval badPasswordDate = strftime(strptime(badPasswordTime, "%I:%M.%S %p, %a %m/%d/%Y" ), "%m/%d/%Y") | eval twodays = relative_time(now(), "-2d") | search badPasswordDate > twodays | table name, badPasswordDate, badPwdCount

What am I missing or doing wrong? It seems so simple.

erstexas · ‎07-08-2013

I think i got it. This seems to work for me:

sourcetype="ActiveDirectory" "CN=Person" badPwdCount >= 2 | dedup name | eval twodays = relative_time(now(), "-2d") | convert timeformat="%I:%M.%S %p, %a %m/%d/%Y" mktime(badPasswordTime) as mkbadPasswordTime | where mkbadPasswordTime > twodays | table name, badPasswordTime, badPwdCount

View solution in original post

erstexas · ‎07-08-2013

I think i got it. This seems to work for me:

sourcetype="ActiveDirectory" "CN=Person" badPwdCount >= 2 | dedup name | eval twodays = relative_time(now(), "-2d") | convert timeformat="%I:%M.%S %p, %a %m/%d/%Y" mktime(badPasswordTime) as mkbadPasswordTime | where mkbadPasswordTime > twodays | table name, badPasswordTime, badPwdCount

Time-based Comparisons on data field

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?