Splunk Enterprise Security

Splunk App for Enterprise Security - Identity Center not fully populating endDate data

machfivejohnnyf
Engager

I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.

So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:

index=identities
| rename uid AS identity
| table identity,prefix,nick,first,middle,last,suffix,email,uid,fullName,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,loginDisabled
| eval endDate = if(match(loginDisabled,"TRUE"), "01/30/1999 10:10", "")
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
| outputlookup Identities

As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.

When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.

I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.

If you need any further information, please let me know so I can provide it.

0 Karma
1 Solution

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

View solution in original post

0 Karma

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

0 Karma

letsgopats39
Engager

This worked for me. You’ll need to convert your times to epoch, then convert to MM/DD/YY HH:MM as seen below. If you need, use http://strftime.net/ to verify.

| eval endDateEpoch = strptime(accountExpires, "%Y-%m-%dT%H:%M:%SZ")
| eval endDate = strftime(endDateEpoch, "%m/%d/%y %H:%M")
| eval startDateEpoch = strptime(whenCreated, "%Y-%m-%d %H:%M:%S+00:00")
| eval startDate = strftime(startDateEpoch, "%m/%d/%y %H:%M")

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...