All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timezone not parsed correctly in FireEye NX JSON logs

awurster
Contributor
‎06-16-2015 09:41 PM

not sure why exactly the time stuff is commented out in the TA code, but i found that timestamps were not parsed correctly when sending our events from an NX appliance to Splunk via JSON / HTTPS and the FireEye TA v3.

event data:

...
"occurred": "2015-06-17 03:25:55+00", 
"id": "1", 
"action": "notified", 
"interface": {
"mode": "tap"
...

i found that i had to uncomment out and adjust the two TIME_ fields below to get things working.

###### FireEye JSON over HTTPS ######
# Universal Handler for FireEye JSON notifications (pre and post FireEye OS 7.1)
[fe_json]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
KV_MODE = JSON
#TIME_PREFIX = \"occurred\"\:\s
#TIME_FORMAT = \"%Y-%m-%d %H:%M:%S+00\"

i think it should be the following, but it's not working for me. i've tried with and without quotes.

[fe_json]
...
TIME_PREFIX = "occurred"\:\s
TIME_FORMAT = "%Y-%m-%d %H:%M:%S%Z"
0 Karma
Reply

TonyLeeVT
Builder
‎06-17-2015 03:49 AM

Your observation is correct. I believe the latest version of the appliance added an "appliance-id" field which caused an error with time parsing. That bug fix will be in version 3.0.7.

The fix will be the following:

[fe_json]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
KV_MODE = JSON
TIME_PREFIX = \"occurred\"\:\s
TIME_FORMAT = \"%Y-%m-%d %H:%M:%S+00\"
TZ = UTC

Thanks for reporting it.

Reply

awurster
Contributor
‎06-17-2015 09:13 PM

thanks tony. this is cool, but it's sort of a hack, masking the original problem. i don't know if it has much to do with any appliance-id field.

i don't believe a two digit TZ code is standard. just tell the engineers to send a proper strftime variable, then splunk would automatically parse it. use either %z or %Z:
https://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.2.3/data/Applytimezoneoffsetstotimestamps

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...