I am having an issue where the Identity Center in Splunk ES is not fully populating, more specifically the endDate of each identity.
So, right now I have a python script running every night to query some LDAP servers which I have Splunk set to monitor the output of. It generates a CSV of each of the required fields needed for Identities, except a few which I added with a saved search that runs after the script. This search grabs the CSV and populates an Identities lookup I made to supplement ES. The search looks like this:
As you can see above, I am filling in the endDate field with a date if the user's login is disabled since the LDAP servers don't have startDate or endDate.
When I run a new search, | inputlookup Identities, I see all the required fields for ES as well as my users with an endDate if applicable. When I go over to Identity Center I don't see the endDate value in there. It's been over a day, so it should be plenty of time to update. I've also checked the lookup expander logs and it appears to run with no issues, and a timestamp of the update.
I'm out of ideas why the endDate isn't getting updated, so if anyone has any suggestions I would really appreciate it.
If you need any further information, please let me know so I can provide it.