Hello All
New to splunk and would like a bit of guidance on dealing with Active Directory attributes that ave dates such as accountExpires and pwdLastSet.
For example; this work well
source="ActiveDirectory" AND accountExpires="12:00.00 AM, Tue 01/01/2013" AND accountExpires>0 | dedup name | search userAccountControl="512"
However I would really like to see everything that expires prior to this date. "<" does not work because I suspect splunk see's this value as a string.
Anyone have some examples of efficient ways to accomplish what I am looking for.
TY
You can try converting the accountExpires string value to a time with strftime like this:
| eval accountExpires=strftime(Date, "%I:%M.%S %P, %a %m/%d/%Y") |
The only issue I see is your seconds appear to be decimal minutes, and I don't see a strftime representation for that...
Did you find an answer for this? I am having the same issue.
This particular example does not appear to work for the LastLogonTimestamp field in AD which is the same format. Unless I'm missing something, when using this eval and displaying the field; it just appears null.
Thanks
What do I do with converted value post, just query as usual with < value?