Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AD Field Dates Converting and Searching

tmugherini
New Member
‎11-07-2013 05:41 AM

Hello All

New to splunk and would like a bit of guidance on dealing with Active Directory attributes that ave dates such as accountExpires and pwdLastSet.

For example; this work well

source="ActiveDirectory" AND accountExpires="12:00.00 AM, Tue 01/01/2013" AND accountExpires>0 | dedup name | search userAccountControl="512"

However I would really like to see everything that expires prior to this date. "<" does not work because I suspect splunk see's this value as a string.

Anyone have some examples of efficient ways to accomplish what I am looking for.

TY

Tags (1)
0 Karma
Reply

lukejadamec
Super Champion
‎11-07-2013 06:50 AM

You can try converting the accountExpires string value to a time with strftime like this:

| eval accountExpires=strftime(Date, "%I:%M.%S %P, %a %m/%d/%Y") |

The only issue I see is your seconds appear to be decimal minutes, and I don't see a strftime representation for that...

0 Karma
Reply

bigtyma
Communicator
‎01-17-2014 07:33 AM

Did you find an answer for this? I am having the same issue.

0 Karma
Reply

mcrawford44
Communicator
‎12-18-2013 12:55 PM

This particular example does not appear to work for the LastLogonTimestamp field in AD which is the same format. Unless I'm missing something, when using this eval and displaying the field; it just appears null.

0 Karma
Reply

tmugherini
New Member
‎11-07-2013 11:07 AM

Thanks

What do I do with converted value post, just query as usual with < value?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...