I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.
So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:
index=identities
| rename uid AS identity
| table identity,prefix,nick,first,middle,last,suffix,email,uid,fullName,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,loginDisabled
| eval endDate = if(match(loginDisabled,"TRUE"), "01/30/1999 10:10", "")
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
| outputlookup Identities
As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.
When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.
I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.
If you need any further information, please let me know so I can provide it.
I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...
I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...
This worked for me. You’ll need to convert your times to epoch, then convert to MM/DD/YY HH:MM as seen below. If you need, use http://strftime.net/ to verify.
| eval endDateEpoch = strptime(accountExpires, "%Y-%m-%dT%H:%M:%SZ")
| eval endDate = strftime(endDateEpoch, "%m/%d/%y %H:%M")
| eval startDateEpoch = strptime(whenCreated, "%Y-%m-%d %H:%M:%S+00:00")
| eval startDate = strftime(startDateEpoch, "%m/%d/%y %H:%M")