Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I adjust timezone settings for Cisco WSA data to set up accurate alerting?

kearaspoor
SplunkTrust
SplunkTrust
‎01-21-2016 06:56 AM

We have multiple Cisco WSA devices set up in each of the US timezones; each is set to log in local time. But it seems as if the WSA logs don't contain any kind of timezone indicator on them.

When I run a search in Splunk, using a user account in Central time, against a WSA device in Eastern time, I end up getting "future" events.
Example: ran a search at 8AM central against an eastern WSA device, there were events found with time-stamps of 9AM.

Likewise when I run a search looking for lag between index time and timestamp (again from a Central Time account):

index=wsa_system sourcetype="cisco:wsa:shd" CliConn=*  | eval lag=((_indextime-_time)/(60*60))

All our Eastern devices are reporting negative lag (future timestamps), Central devices are relatively real-time, Mountain devices have approx 1hr lag, Western devices have roughly 2hr lag.

I'm trying to set up alerts for high numbers of client connections and need to know:
1) Is there any way to adjust for these time off-sets at search time using our current logs?
2) Is there a way for Splunk to add the time off-sets/zone to the events at indexing time?
3) Is there a way to have the WSA devices add the timezone to the logs before sending? (Or will I need to make a business case that all the WSA devices should log in the same timezone regardless of physical location?)

Tags (4)
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-21-2016 04:04 PM

You should set your timezone on the inputs.conf where you are ingesting the data. In the data source, use the 

TZ=US/Eastern

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Propsconf

0 Karma
Reply

GDustin
Path Finder
‎12-04-2019 02:18 AM

TZ does not exist in inputs.conf.spec

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...