Getting Data In
Highlighted

Active Directory Password Expiry x2

Builder

index="msad" (objectCategory="CN=Person" AND userAccountControl!=514)
| dedup displayName
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
*
| where DateLastChanged < relative_time(now(),"-25d@d")** <- *In this place my search not work*
| table DateLastChanged displayName | Sort -DateLastChanged
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(DateLastChanged)

it's mean that my client don't have this policy or it's mean broken search?

0 Karma
Highlighted

Re: Active Directory Password Expiry x2

SplunkTrust
SplunkTrust

That question should be able to be answered from a portion of your search. Try running this:

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| table displayName, DateLastChanged, pwdLastSet

This should confirm for you that the eval is working OK.

If you see pwdLastSet is filled in but DateLastChanged is not, then you know the strptime is likely at fault - there's a wrong specifier in there or something.

If both are filled in, try converting a 25-days-ago date to epoch (using, like, epochconverter.com) and hardcoding that date in there as your where condition to make sure your where is right.

index="msad" (objectCategory="CN=Person*" AND userAccountControl!=514) 
| dedup displayName 
| eval DateLastChanged = strptime(pwdLastSet, "%H:%M.%S %p, %a %m/%d/%Y")
| where DateLastChanged < 15151515 <- WHATEVER VALUE YOU FOUND 
| table displayName, DateLastChanged, pwdLastSet

Using a process like that, where you just start with the minimal data and progress through step by step, you should be able to a) confirm what you are doing is right and b) find where it's going wrong.

So, sorry this isn't a pat answer, it's the whole teach a person to fish thing - but I hope it helps!

Happy Splunking, Rich

View solution in original post