Splunk Enterprise Security

Splunk App for Enterprise Security - Identity Center not fully populating endDate data

machfivejohnnyf
Engager

I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.

So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:

index=identities
| rename uid AS identity
| table identity,prefix,nick,first,middle,last,suffix,email,uid,fullName,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,loginDisabled
| eval endDate = if(match(loginDisabled,"TRUE"), "01/30/1999 10:10", "")
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
| outputlookup Identities

As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.

When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.

I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.

If you need any further information, please let me know so I can provide it.

0 Karma
1 Solution

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

View solution in original post

0 Karma

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...