Getting Data In

Any idea on where I am going wrong with bash_history timestamping?

Builder

All,

I am extracting bash_history, the event looks like this.

#1510170881
grep -r something *

But ends up with this timestamp
5/23/18 12:05:39.000 PM

I believe it should be
5/23/18 22:08:30.000 PM

My props.conf looks like this -

[bash_history]
 BREAK_ONLY_BEFORE = #(?=\d+)
 MAX_TIMESTAMP_LOOKAHEAD = 11
 SHOULD_LINEMERGE = true
 TIME_FORMAT = %s
 TIME_PREFIX = #
 TRANSFORMS-bashhistory = route_to_indexers

Any ideas where I might be going wrong with this?

0 Karma

SplunkTrust
SplunkTrust

Is the bash_history file in a different time zone from your Splunk account setting?

---
If this reply helps you, an upvote would be appreciated.
0 Karma