Solved: How to search in active directory for servers conn...

numeroinconnu12 · ‎01-19-2023

Hello and happy new year to all,

As the title says I would like to have the list of servers that have connected over the last 14 days (Lastlogon)... I have tried several methods but nothing works, here is my query :

index=msad SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| eval LastLogon2=strftime(llt, "%d/%m/%Y %H:%M:%S")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon2

Thanks

richgalloway · ‎01-19-2023

You created the llt field, but didn't do anything with it. Use the relative_time function to see how old llt is.

index=msad  SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| where llt > relative_time(now(), "-14d")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon

---
If this reply helps you, Karma would be appreciated.

View solution in original post

numeroinconnu12 · ‎01-20-2023

thank you very much, it's works@richgalloway

richgalloway · ‎01-19-2023

You created the llt field, but didn't do anything with it. Use the relative_time function to see how old llt is.

index=msad  SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| where llt > relative_time(now(), "-14d")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon

---
If this reply helps you, Karma would be appreciated.

How to search in active directory for servers connected in the last 14 days?

other

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation