I found this in a search:
hxxps://www.splunk.com/blog/2014/02/10/which-servers-are-inactive.html
It is old but it describes exactly what I am trying to do but looking at user accounts. I tried using the eval commands with my ldapsearch but I do not get any results. I think I just don't understand what format lastLogonTimestamp is stored in.
Here is my attempt to apply the information from the article:
| ldapsearch basedn="OU=MyOU,DC=my,DC=domain,DC=com" scope="sub" search="(objectClass=user)" attrs="cn,lastLogonTimestamp"
| eval llt=strptime(lastLogonTimestamp,"%Y-%m-%dT%H:%M:%S.%QZ")
| eval inactiveTime=now() - llt
| table cn,lastLogonTimestamp,llt,lltAge
When I run the search, lltAge is blank.
What am I misunderstanding?
I found another article and it gives me something more readable.
hxxps://answers.splunk.com/answers/307865/converting-lastlogontimestamp-to-readable-date-and.html
| eval llt=strftime(strptime(lastLogonTimestamp,"%Y-%m-%dT%H:%M:%S.%QZ"),"%Y/%m/%d %T %Z")
| eval lltAge=now() - llt
I attempting to eventually do a where clause with lltAge>= 30 days or some value.
Thanks in advance.
... View more