Yes. All certs can be interpreted as a series of properties (expiration is one cert property). Common command line tools can query the certs store/wallet/etc. on a daily schedule, and then send that output to a log source (syslog, windows event log, etc.), where Splunk is already picking up the logs.

1) query for gaps between number of certs expected in a day and number received. If the number is off, either a system isn't reporting in, or it's decommissioned, etc.. Splunk alert on it will help you before it's too late. This will make sure your process doesn't accidentally miss a host that was offline for a while.

2) create Splunk reports/dashboards on cert properties for what you need

Lost still? Here's a couple additional pointers for querying certs. This and a few minutes in a search engine should get you going:
https://stackoverflow.com/questions/21297853/how-to-determine-ssl-cert-expiration-date-from-a-pem-en...
https://devblogs.microsoft.com/scripting/use-powershell-to-find-certificates-that-are-about-to-expir...