Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Date Field calculations help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I am hoping one of you can help me out with the following:
I have a Powershell script which is displaying the output of all Active Directory Server objects and indexing to Splunk which works well. The output is getting indexed in the following format:
output :
2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"
this script runs everyday and indexes the ad export list to splunk.
What i want to achieve is to have a report setup to list all new AD objects that got created Current Date -1 day, Current Date - 7 days. i can use the " Created" date field to calculate this. However when I try to convert this field to epoch time and then compare it against timenow, I do not get any results. Can any body provide me with the correct query on how to achieve these reports ?
Thank you.
S
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | eval report_cutoff=relative_time(now(),"-1d") | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(Created) | where Created > report_cutoff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | eval report_cutoff=relative_time(now(),"-1d") | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(Created) | where Created > report_cutoff
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah correct. perfect that works well. Thanks for your quick help. Appreciate it !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-1d goes back exactly 24 hrs back (e.g if its 4/29 2 PM now, then it goes back to 4/28 2 PM). Change it to -1d@d to see AD groups created since Yesterday Midnight (4/28 12 AM)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply.
This returns no results and I know for sure i had the above 2 AD objects created yesterday and listed under Created Field. Any other ideas please ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
