Hi,
I would like to run a report of Active Directory accounts created in the last 24 hours. I tried different things, but not sure if the eval command takes splunk-style time period (such as -24h) or > yesterday's date. |eval whenCreated=20150803 did not work.
|ldapsearch domain=test.com
search="(&(objectclass=user))"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval whenCreated=20150803
|table sAMAccountName, displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate
... View more