Alert using calendar arithmetic


Hi. We a Dashboard that informs us of the date a service account password was changed/reset. Passwords need to be reset no later than every 700 days, but we'd like Splunk to alert us 6 months prior to that deadline.

Our date field looks like this:


From that date, we need to alert when that account password is 520 days old (700 days minus 6 months/180 days). So in the above example, we need to receive an alert on April 18, 2021, to remind us to schedule a password reset for that account.

We are getting the account name date of the last password set from Active Directory, in case that matters.

In other words, is there a way to do "Calendar arithmetic" in Splunk? I have no idea where to even begin with this.

Thank you!

0 Karma


Timestamp math is easy. The trick is to convert the timestamp into integer (epoch) form first.

... | eval epoch=strptime(accountPassword, "%Y-%m-%dT%H:%M:%S.%5N%Z")
| eval alertEpoch=epoch + (86400 * 520)
| eval alertTime = strftime(alertEpoch, "%Y-%m-%dT%H:%M:%S.%5N%Z")
If this reply helps you, an upvote would be appreciated.
0 Karma


I can actually calculate the epoch time six months in the future from the date of the password set:

  | eval pwDate=strptime(pwdLastSet,"%Y-%m-%dT%H:%M:%S.%3N") | eval sixMonthsAhead=relative_time(pwDate, "+520d@d") | table cn, pwdLastSet, sixMonthsAhead

But I can't seem to get an alert to trigger once that date arrives...

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!