Getting Data In

Active Directory Password Expiry x2

test_qweqwe
Builder

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514)
| dedup displayName
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| where DateLastChanged < relative_time(now(),"-25d@d") <- *In this place my search not work*
| table DateLastChanged displayName | Sort -DateLastChanged
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(DateLastChanged)

it's mean that my client don't have this policy or it's mean broken search?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

That question should be able to be answered from a portion of your search. Try running this:

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| table displayName, DateLastChanged, pwdLastSet

This should confirm for you that the eval is working OK.

If you see pwdLastSet is filled in but DateLastChanged is not, then you know the strptime is likely at fault - there's a wrong specifier in there or something.

If both are filled in, try converting a 25-days-ago date to epoch (using, like, epochconverter.com) and hardcoding that date in there as your where condition to make sure your where is right.

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| where DateLastChanged < 15151515 <- WHATEVER VALUE YOU FOUND 
| table displayName, DateLastChanged, pwdLastSet

Using a process like that, where you just start with the minimal data and progress through step by step, you should be able to a) confirm what you are doing is right and b) find where it's going wrong.

So, sorry this isn't a pat answer, it's the whole teach a person to fish thing - but I hope it helps!

Happy Splunking, Rich

View solution in original post

Richfez
SplunkTrust
SplunkTrust

That question should be able to be answered from a portion of your search. Try running this:

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| table displayName, DateLastChanged, pwdLastSet

This should confirm for you that the eval is working OK.

If you see pwdLastSet is filled in but DateLastChanged is not, then you know the strptime is likely at fault - there's a wrong specifier in there or something.

If both are filled in, try converting a 25-days-ago date to epoch (using, like, epochconverter.com) and hardcoding that date in there as your where condition to make sure your where is right.

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| where DateLastChanged < 15151515 <- WHATEVER VALUE YOU FOUND 
| table displayName, DateLastChanged, pwdLastSet

Using a process like that, where you just start with the minimal data and progress through step by step, you should be able to a) confirm what you are doing is right and b) find where it's going wrong.

So, sorry this isn't a pat answer, it's the whole teach a person to fish thing - but I hope it helps!

Happy Splunking, Rich

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...