Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

AD Field Dates Converting and Searching

tmugherini
New Member
‎11-07-2013 05:41 AM

Hello All

New to splunk and would like a bit of guidance on dealing with Active Directory attributes that ave dates such as accountExpires and pwdLastSet.

For example; this work well

source="ActiveDirectory" AND accountExpires="12:00.00 AM, Tue 01/01/2013" AND accountExpires>0 | dedup name | search userAccountControl="512"

However I would really like to see everything that expires prior to this date. "<" does not work because I suspect splunk see's this value as a string.

Anyone have some examples of efficient ways to accomplish what I am looking for.

TY

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎11-07-2013 06:50 AM

You can try converting the accountExpires string value to a time with strftime like this:

| eval accountExpires=strftime(Date, "%I:%M.%S %P, %a %m/%d/%Y") |

The only issue I see is your seconds appear to be decimal minutes, and I don't see a strftime representation for that...

0 Karma
Reply

bigtyma
Communicator
‎01-17-2014 07:33 AM

Did you find an answer for this? I am having the same issue.

0 Karma
Reply

mcrawford44
Communicator
‎12-18-2013 12:55 PM

This particular example does not appear to work for the LastLogonTimestamp field in AD which is the same format. Unless I'm missing something, when using this eval and displaying the field; it just appears null.

0 Karma
Reply

tmugherini
New Member
‎11-07-2013 11:07 AM

Thanks

What do I do with converted value post, just query as usual with < value?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...