Solved: Timezone interpretation: How to defer and control ...

donelliot · ‎06-03-2022

I have a use case, which is basically about alerting users for vulnerabilities when we need them to take action

This is a centralised pull from tenable so far so good

My issue is how to defer and control the sending of the alert so it doesn't wake up people in various time zones around the world. I don't want them getting alerts at 2am or on Sunday in their timezone, unless Sunday is a workday - that's a whole different matter.

I looked at ip lookup allitems=true and can get the timezone, so that is a step forward

But I can't seem to find out how to convert the Americas/Vancouver timestamp to an offset of UTC which I can play with

I'm sure some of you with global companies must have dealt with this challenge. My understanding is you can get fined in Germany for communicating with employees out of hours. Let just say I manage to determine the correct textual timestamp like Americas\Chicago - how do I translated that to a UTC offset ?

of course if anyone can spot what I'm trying to do and has a better way then I'm all ears

donelliot · ‎06-04-2022

Got the basis of this working :

| makeresults 1
| eval header="{\"content-type\":\"application/json\"}"
| eval api_key = "<API_KEY>"
| eval tz = "America/Los_Angeles"
| eval where = "https://api.ipgeolocation.io/timezone?apiKey=" + api_key + "&tz=" + tz
| eval myuser = "nobody"
| eval myuri = where
| curl method=get urifield=myuri headerfield=header debug=true
| table curl*
| spath input=curl_message

Be interested in suggestions for alternatives though..

View solution in original post

donelliot · ‎06-04-2022

Got the basis of this working :

| makeresults 1
| eval header="{\"content-type\":\"application/json\"}"
| eval api_key = "<API_KEY>"
| eval tz = "America/Los_Angeles"
| eval where = "https://api.ipgeolocation.io/timezone?apiKey=" + api_key + "&tz=" + tz
| eval myuser = "nobody"
| eval myuri = where
| curl method=get urifield=myuri headerfield=header debug=true
| table curl*
| spath input=curl_message

Be interested in suggestions for alternatives though..

ITWhisperer · ‎06-04-2022

| eval local=strftime(now(),"%F %T %z")

donelliot · ‎06-04-2022

Thanks but my starting point is not the time but the ip address -

| iplocation allfields=true src_ip

Trying to build a table of people and offsets from UTC so I can decide - OK I'm going to send an alert at 10am for all people in Thailand ... or all people on Mountain time.

I know it won't be perfect - and I need to get rid of all the noise of VPNs and consider travellers but it's a lot better than sending emails at 2am in the morning

donelliot · ‎06-04-2022

I found this web service which should get me what I want

https://ipgeolocation.io/documentation/timezone-api.html

- I'd have thought there is a way in Splunk - Basically my starting point is the iplocation -all and I need to interpret the Country/State timezone expression

# Get 'America/Los_Angeles' timezone information
$ curl 'https://api.ipgeolocation.io/timezone?apiKey=API_KEY&tz=America/Los_Angeles'

{
    "timezone": "America/Los_Angeles",
    "timezone_offset": -8,
    "date": "2018-12-06",
    "date_time": "2018-12-06 02:02:09",
    "date_time_txt": "Thursday, December 06, 2018 02:02:09",
    "date_time_wti": "Thu, 06 Dec 2018 02:02:09 -0800",
    "date_time_ymd": "2018-12-06T02:02:09-0800",
    "date_time_unix": 1544090529.989,
    "time_24": "02:02:09",
    "time_12": "02:02:09 AM",
    "week": "49",
    "month": "12",
    "year": "2018",
    "year_abbr": "18",
    "is_dst": false,
    "dst_savings": 1
}

Timezone interpretation: How to defer and control the sending of the alert?

alert action

throttling

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM