Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

AD Field Dates Converting and Searching

tmugherini
New Member
‎11-07-2013 05:41 AM

Hello All

New to splunk and would like a bit of guidance on dealing with Active Directory attributes that ave dates such as accountExpires and pwdLastSet.

For example; this work well

source="ActiveDirectory" AND accountExpires="12:00.00 AM, Tue 01/01/2013" AND accountExpires>0 | dedup name | search userAccountControl="512"

However I would really like to see everything that expires prior to this date. "<" does not work because I suspect splunk see's this value as a string.

Anyone have some examples of efficient ways to accomplish what I am looking for.

TY

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎11-07-2013 06:50 AM

You can try converting the accountExpires string value to a time with strftime like this:

| eval accountExpires=strftime(Date, "%I:%M.%S %P, %a %m/%d/%Y") |

The only issue I see is your seconds appear to be decimal minutes, and I don't see a strftime representation for that...

0 Karma
Reply

bigtyma
Communicator
‎01-17-2014 07:33 AM

Did you find an answer for this? I am having the same issue.

0 Karma
Reply

mcrawford44
Communicator
‎12-18-2013 12:55 PM

This particular example does not appear to work for the LastLogonTimestamp field in AD which is the same format. Unless I'm missing something, when using this eval and displaying the field; it just appears null.

0 Karma
Reply

tmugherini
New Member
‎11-07-2013 11:07 AM

Thanks

What do I do with converted value post, just query as usual with < value?

0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...