Can you set up the "| ldapsearch " command in your Splunk environment, so that it can perform LDAP queries to your AD? https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.2/User/Theldapsearchcommand https://www.splunk.com/en_us/blog/tips-and-tricks/integrating-active-directory-into-splunk-with-sa-ldapsearch.html Once that is complete, you can search for users with a "accountExpires" time: | ldapsearch domain="default" search="(&(objectclass=user))" attrs="cn,displayName,title,department,whenCreated,mail,lastLogonTimestamp,accountExpires"
| table cn mail displayName title department whenCreated lastLogonTimestamp accountExpires
... View more