Splunk Enterprise Security

Splunk App for Enterprise Security - Identity Center not fully populating endDate data

machfivejohnnyf
Engager

I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.

So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:

index=identities
| rename uid AS identity
| table identity,prefix,nick,first,middle,last,suffix,email,uid,fullName,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,loginDisabled
| eval endDate = if(match(loginDisabled,"TRUE"), "01/30/1999 10:10", "")
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
| outputlookup Identities

As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.

When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.

I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.

If you need any further information, please let me know so I can provide it.

0 Karma
1 Solution

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

View solution in original post

0 Karma

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

0 Karma

letsgopats39
Engager

This worked for me. You’ll need to convert your times to epoch, then convert to MM/DD/YY HH:MM as seen below. If you need, use http://strftime.net/ to verify.

| eval endDateEpoch = strptime(accountExpires, "%Y-%m-%dT%H:%M:%SZ")
| eval endDate = strftime(endDateEpoch, "%m/%d/%y %H:%M")
| eval startDateEpoch = strptime(whenCreated, "%Y-%m-%d %H:%M:%S+00:00")
| eval startDate = strftime(startDateEpoch, "%m/%d/%y %H:%M")

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...