Hello.
I'm struggling with a query. We want to search Windows Event logs for accounts whose passwords have not been changed (by admins) for more than 700 days. I have created a query that informs me of when a password was changed:
index=main host=*DC* EventCode=4724 | eval Modifier = mvindex(Account_Name, 0) | eval User_Name = mvindex(Account_Name, 1) | rename Group_Name AS Modified_Group | table _time Modifier User_Name
But I do not know how to get Splunk to check for a password that has NOT been changed for over X days. Is this even possible?
Thank you in advance for your help.
↧