Splunk Enterprise Security

Splunk App for Enterprise Security - Identity Center not fully populating endDate data

machfivejohnnyf
Engager

I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.

So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:

index=identities
| rename uid AS identity
| table identity,prefix,nick,first,middle,last,suffix,email,uid,fullName,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,loginDisabled
| eval endDate = if(match(loginDisabled,"TRUE"), "01/30/1999 10:10", "")
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
| outputlookup Identities

As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.

When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.

I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.

If you need any further information, please let me know so I can provide it.

0 Karma
1 Solution

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

View solution in original post

0 Karma

machfivejohnnyf
Engager

I figured it out. I was passing 01/30/1999 10:10 instead of the time it was expecting, which was 01/30/99 10:10. Splunk isn't Y2K compatible it seems...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>