Alerting

How do I adjust timezone settings for Cisco WSA data to set up accurate alerting?

kearaspoor
Communicator

We have multiple Cisco WSA devices set up in each of the US timezones; each is set to log in local time. But it seems as if the WSA logs don't contain any kind of timezone indicator on them.

When I run a search in Splunk, using a user account in Central time, against a WSA device in Eastern time, I end up getting "future" events.
Example: ran a search at 8AM central against an eastern WSA device, there were events found with time-stamps of 9AM.

Likewise when I run a search looking for lag between index time and timestamp (again from a Central Time account):

index=wsa_system sourcetype="cisco:wsa:shd" CliConn=*  | eval lag=((_indextime-_time)/(60*60))

All our Eastern devices are reporting negative lag (future timestamps), Central devices are relatively real-time, Mountain devices have approx 1hr lag, Western devices have roughly 2hr lag.

I'm trying to set up alerts for high numbers of client connections and need to know:
1) Is there any way to adjust for these time off-sets at search time using our current logs?
2) Is there a way for Splunk to add the time off-sets/zone to the events at indexing time?
3) Is there a way to have the WSA devices add the timezone to the logs before sending? (Or will I need to make a business case that all the WSA devices should log in the same timezone regardless of physical location?)

Tags (4)

esix_splunk
Splunk Employee
Splunk Employee

You should set your timezone on the inputs.conf where you are ingesting the data. In the data source, use the

TZ=US/Eastern

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Propsconf

0 Karma

GDustin
Path Finder

TZ does not exist in inputs.conf.spec

0 Karma
Get Updates on the Splunk Community!

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Want a chance to win $500 to the Splunk shop? Take our IT Incident Management Survey!

  Top Trends & Best Practices in Incident ManagementSplunk is partnering up with Constellation Research to ...