Without a direct connection to AD and without knowing your environment, I can't provide another definitive way to get you the data that you need from Splunk.

You may be able to pull AD with a PowerShell script into a csv and upload to Splunk. A PS forum would be better suited to assisting with that part though. 
I'm not sure the AD export option will format some fields like lastLogon and userAccountControl so there would be a few extra steps.

My AD boxes are reporting to Splunk, however it just the event log data.  So I can pull data on Event IDs such as 4624 (successful login) but formatting that so it only shows accounts that haven't done that for a period of time and do not have the Event ID 4725 (account was disabled) associated to it is my issue.   I hope that helps make some sense.. 

Thanks
Bob

Event IDs such as 4624 (successful login) but formatting that so it only shows accounts that haven't done that for a period of time and do not have the Event ID 4725 (account was disabled) associated to it is my issue.   I hope that helps make some sense.. 

This makes a lot more sense than asking about AD user behavior because it describes a sequence of events that are already in Splunk, and criteria in terms of data (as opposed to user behavior).  It would be even better if you give sample data (anonymized), data structure, sample search you have tried, output from such and why the output does not meet your requirements.  After all, this is a Splunk forum, not AD forum.

As someone who has never seen Windows eventlog in Splunk, I wonder how would you determine that a user even exists if he or she hasn't had activity for a long time? (Assuming your search period is finite.)

With this question in mind, the following uses earliest=0 (all time) to signify that it should contain long enough period of time in order to identify users who haven't had activity for a very long time - all without a second source for list of users.

source=EventLog EventID IN (4624, 4625) earliest=0
| stats max(_time) as lasttime by AccountID EventID
| stats values(EventID) max(lasttime) as _time by AccountID
| where 'values(EventID)' != 4625 AND _time < relative_time(now(), "-30d")

(Again, I have no idea what identifies your Windows source, what are field names, and so on so the entire thing is made up.)  Assuming event sequence like the following

the above search should give

Of course search earliest=0 is very expensive.  So, if there's some periodic machine generated event for inactive accounts, the task would be easier.

A possible reduction of cost (if you have to search earliest=0) is with tstats, e.g.,

| tstats max(_time) as lasttime where EventID IN (4624, 4625) earliest=0 by AccountID EventID
| stats values(EventID) max(lasttime) as _time by AccountID
| where 'values(EventID)' != 4625 AND _time < relative_time(now(), "-30d")

---

As someone who has never seen Windows eventlog in Splunk, I wonder how would you determine that a user even exists if he or she hasn't had activity for a long time? (Assuming your search period is finite.)

Yeah this is exactly the reason I was going down the Add-On for AD and script routes to get the full list of AD users. 

Through the WinEventLog, Splunk can tell you what happened and when, but it can't tell you an account exists if it doesn't have any events related to that account.

A full inventory of user accounts is needed to determine what accounts aren't being used.