https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528314#M89079 <P>Meanwhile, I found it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>The Palo alto add-on permission was limited to the app, not Global. So if I search in Paloalto app it is ok, but that strange behavior in the default Search app.</P><P>Only the "bonus" question left. What will happen if I will have the same source type but from a different time zone? I should clone the original pan:log source type with a different time zone setting and add this new source type to props/transforms.conf?</P><P>&nbsp;</P> Fri, 06 Nov 2020 12:14:18 GMT norbertt911 2020-11-06T12:14:18Z https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528306#M89077 <P>Dear Splunkers,</P><P>Sorry about this, but I never did such thing before...</P><P>My Splunk is in EU and now I added PaloAlto firewall logs (collected by a Syslog and UF pushing them to Splunk) from AUS.</P><P>The timestamping is wrong.</P><P>First of all the today's events (11/06) are indexed on11th of Jun (06/11).&nbsp; On the top, it is indexed two hours ahead than the current time.</P><P>now the events look like this :</P><TABLE><TBODY><TR><TD><SPAN class="formated-time"><SPAN>11/06/2020</SPAN><BR /><SPAN>13:45:43.000</SPAN></SPAN></TD><TD><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="json-event wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t">06-11-2020</SPAN> <SPAN class="t">21:45:43</SPAN> <SPAN class="t">User.Info</SPAN> <SPAN class="t">10.180.160.41</SPAN> <SPAN class="t">Nov</SPAN> <SPAN class="t">6</SPAN> <SPAN class="t">21:45:43</SPAN> <SPAN class="t">Firewall.device.name</SPAN>&nbsp;<SPAN class="t">1</SPAN>, ..........................................................</DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I'm using the Palo Alto add-on default for the source type, just the time zone changed to Sydney.&nbsp; (Timestamp prefix : ^(?:[^,]*,){5}&nbsp; &nbsp;;&nbsp; &nbsp;Lookahead 100)</P><P>Could you please advise what I should do? (what will happen if I&nbsp; will have the same source type logs to the same index but from a different timezone? )&nbsp;</P><P>Regards,</P><P>Norbert</P> Fri, 06 Nov 2020 11:09:58 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528306#M89077 norbertt911 2020-11-06T11:09:58Z https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528307#M89078 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223775">@norbertt911</a>&nbsp;the props.conf setting on timestamp recognition got some issues. Can you copy paste your props/transforms here(after hiding the hostname values)</P> Fri, 06 Nov 2020 11:22:36 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528307#M89078 inventsekar 2020-11-06T11:22:36Z https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528314#M89079 <P>Meanwhile, I found it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>The Palo alto add-on permission was limited to the app, not Global. So if I search in Paloalto app it is ok, but that strange behavior in the default Search app.</P><P>Only the "bonus" question left. What will happen if I will have the same source type but from a different time zone? I should clone the original pan:log source type with a different time zone setting and add this new source type to props/transforms.conf?</P><P>&nbsp;</P> Fri, 06 Nov 2020 12:14:18 GMT https://community.splunk.com/t5/Getting-Data-In/Wrong-timestamp-Palo-Alto/m-p/528314#M89079 norbertt911 2020-11-06T12:14:18Z