Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

the user has not logon AD for more than 90 days

nalia_v
Loves-to-Learn Everything
‎02-17-2021 09:51 AM

Hi.

The topic is probably already hackneyed, but I'll ask you anyway.

Classic case - the user has not logon for more than 90 days.

I want to make a request through - ldapsearch, With enrichment through blood pressure AD.

 

There is an example request https://docs.splunksecurityessentials.com/content-detail/old_passwords/

Took from the request only - there were no login for more than 90 days.

| ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,pwdLastSet,lastLogonTimestamp,whenCreated,badPwdCount,logonCount" | fields - _raw host _time
| convert timeformat="%Y-%m-%dT%H:%M:%S.%6QZ" mktime(lastLogonTimestamp) | convert timeformat="%Y%m%d%H%M%S.0Z"
| where lastLogonTimestamp > relative_time(now(), "-90d")
| convert ctime(lastLogonTimestamp)

The request is processed and takes away attributes from AD, but the time of the last login-lastLogonTimestamp does not show the former not 90 days.

Where is the error in the request ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...