Splunk Search

Date Field calculations help

saurabhkunte
Path Finder

Hello All,
I am hoping one of you can help me out with the following:
I have a Powershell script which is displaying the output of all Active Directory Server objects and indexing to Splunk which works well. The output is getting indexed in the following format:
output :

2014/04/29 11:46:39 ServerName="am-dc02" ADSPath="CN=am-dc02,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:36"
2014/04/29 11:46:39 ServerName="am-dc01" ADSPath="CN=am-dc01,OU=Domain Controllers,DC=ads,DC=contoso,DC=com" Created="04/28/2014 12:34:01"

this script runs everyday and indexes the ad export list to splunk.

What i want to achieve is to have a report setup to list all new AD objects that got created Current Date -1 day, Current Date - 7 days. i can use the " Created" date field to calculate this. However when I try to convert this field to epoch time and then compare it against timenow, I do not get any results. Can any body provide me with the correct query on how to achieve these reports ?

Thank you.
S

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search | eval report_cutoff=relative_time(now(),"-1d") | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(Created) | where Created > report_cutoff

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search | eval report_cutoff=relative_time(now(),"-1d") | convert timeformat="%m/%d/%Y %H:%M:%S" mktime(Created) | where Created > report_cutoff

saurabhkunte
Path Finder

ah correct. perfect that works well. Thanks for your quick help. Appreciate it !

0 Karma

somesoni2
SplunkTrust
SplunkTrust

-1d goes back exactly 24 hrs back (e.g if its 4/29 2 PM now, then it goes back to 4/28 2 PM). Change it to -1d@d to see AD groups created since Yesterday Midnight (4/28 12 AM)

saurabhkunte
Path Finder

Thanks for your reply.
This returns no results and I know for sure i had the above 2 AD objects created yesterday and listed under Created Field. Any other ideas please ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...