Solved: How to search in active directory for servers conn...

numeroinconnu12 · ‎01-19-2023

Hello and happy new year to all,

As the title says I would like to have the list of servers that have connected over the last 14 days (Lastlogon)... I have tried several methods but nothing works, here is my query :

index=msad SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| eval LastLogon2=strftime(llt, "%d/%m/%Y %H:%M:%S")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon2

Thanks

richgalloway · ‎01-19-2023

You created the llt field, but didn't do anything with it. Use the relative_time function to see how old llt is.

index=msad  SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| where llt > relative_time(now(), "-14d")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon

---
If this reply helps you, Karma would be appreciated.

View solution in original post

numeroinconnu12 · ‎01-20-2023

thank you very much, it's works@richgalloway

richgalloway · ‎01-19-2023

You created the llt field, but didn't do anything with it. Use the relative_time function to see how old llt is.

index=msad  SamAccountName=*$ VersionOS="Windows Server*"
| eval llt=strptime(LastLogon,"%d/%m/%Y %H:%M:%S")
| where llt > relative_time(now(), "-14d")
| rex field=SamAccountName mode=sed "s/\$//g"
| table Domain,SamAccountName,VersionOS,LastLogon

---
If this reply helps you, Karma would be appreciated.

How to search in active directory for servers connected in the last 14 days?

Other

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...