Trying to run some powershell scripts to pull stale computers / logons etc. I am using SA-ldap and the following queries.
| ldapsearch domain=XXX search="(objectclass=computer)" attrs="cn,lastLogonTimestamp"
| eval ninetydays=now() - (90*86400)
| eval lastConnected=strptime(lastLogonTimestamp,"%Y-%m-%d")
| where lastConnected < ninetydays
| table cn,lastConnected
| rename cn to Computer,lastConnected to "Last Connected"
This gives me
computernamexxx 1411707600.000000
Another conversion attempt gave me 2015-01-09T15:09:09.814585Z
The question is, how do I format this date field? Active Directory time stamp is actually something else, but since I dont get the actual value from AD, I am not sure how to format it.
I have tried the following
| eval ADTime=lastLogonTimestamp/1000000000
| eval lastConnected=strftime(ADTime, "%F %H:%M:%S.%3Q")
Also
| eval lastConnected=strptime(lastLogonTimestamp,”%Y-%m-%d”)
Neither of these are working correctly. Any guidance on formatting these would be helpful.
Really all I want is the date.... YYYY-MM-DD I don't want the time at all.
Side question - my understanding is that lastLogonTimeStamp is a replicated field. Does SA-ldap search just query one DC - the one I have configured. Should I be using a different attribute to get what I am looking for and focus the non replicated fields and query all DCs?
... View more