Alert using calendar arithmetic


Hi. We a Dashboard that informs us of the date a service account password was changed/reset. Passwords need to be reset no later than every 700 days, but we'd like Splunk to alert us 6 months prior to that deadline.

Our date field looks like this:


From that date, we need to alert when that account password is 520 days old (700 days minus 6 months/180 days). So in the above example, we need to receive an alert on April 18, 2021, to remind us to schedule a password reset for that account.

We are getting the account name date of the last password set from Active Directory, in case that matters.

In other words, is there a way to do "Calendar arithmetic" in Splunk? I have no idea where to even begin with this.

Thank you!

0 Karma


Timestamp math is easy. The trick is to convert the timestamp into integer (epoch) form first.

... | eval epoch=strptime(accountPassword, "%Y-%m-%dT%H:%M:%S.%5N%Z")
| eval alertEpoch=epoch + (86400 * 520)
| eval alertTime = strftime(alertEpoch, "%Y-%m-%dT%H:%M:%S.%5N%Z")
If this reply helps you, Karma would be appreciated.
0 Karma


I can actually calculate the epoch time six months in the future from the date of the password set:

  | eval pwDate=strptime(pwdLastSet,"%Y-%m-%dT%H:%M:%S.%3N") | eval sixMonthsAhead=relative_time(pwDate, "+520d@d") | table cn, pwdLastSet, sixMonthsAhead

But I can't seem to get an alert to trigger once that date arrives...

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...