Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AD Field Dates Converting and Searching

tmugherini
New Member
‎11-07-2013 05:41 AM

Hello All

New to splunk and would like a bit of guidance on dealing with Active Directory attributes that ave dates such as accountExpires and pwdLastSet.

For example; this work well

source="ActiveDirectory" AND accountExpires="12:00.00 AM, Tue 01/01/2013" AND accountExpires>0 | dedup name | search userAccountControl="512"

However I would really like to see everything that expires prior to this date. "<" does not work because I suspect splunk see's this value as a string.

Anyone have some examples of efficient ways to accomplish what I am looking for.

TY

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎11-07-2013 06:50 AM

You can try converting the accountExpires string value to a time with strftime like this:

| eval accountExpires=strftime(Date, "%I:%M.%S %P, %a %m/%d/%Y") |

The only issue I see is your seconds appear to be decimal minutes, and I don't see a strftime representation for that...

0 Karma
Reply

bigtyma
Communicator
‎01-17-2014 07:33 AM

Did you find an answer for this? I am having the same issue.

0 Karma
Reply

mcrawford44
Communicator
‎12-18-2013 12:55 PM

This particular example does not appear to work for the LastLogonTimestamp field in AD which is the same format. Unless I'm missing something, when using this eval and displaying the field; it just appears null.

0 Karma
Reply

tmugherini
New Member
‎11-07-2013 11:07 AM

Thanks

What do I do with converted value post, just query as usual with < value?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...