Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

the user has not logon AD for more than 90 days

nalia_v
Loves-to-Learn Everything
‎02-17-2021 09:51 AM

Hi.

The topic is probably already hackneyed, but I'll ask you anyway.

Classic case - the user has not logon for more than 90 days.

I want to make a request through - ldapsearch, With enrichment through blood pressure AD.

 

There is an example request https://docs.splunksecurityessentials.com/content-detail/old_passwords/

Took from the request only - there were no login for more than 90 days.

| ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,pwdLastSet,lastLogonTimestamp,whenCreated,badPwdCount,logonCount" | fields - _raw host _time
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6QZ" mktime(lastLogonTimestamp) | convert timeformat="%Y%m%d%H%M%S.0Z"
| where lastLogonTimestamp > relative_time(now(), "-90d")
| convert ctime(lastLogonTimestamp)

The request is processed and takes away attributes from AD, but the time of the last login-lastLogonTimestamp does not show the former not 90 days.

Where is the error in the request ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...