Getting Data In

How do I convert time stamp from UTC to local time at index time?

Path Finder

I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:


My question is how can we have this detected_timestamp be automatically corrected to local time?

I can do it at search time but would rather find a better solution.

Sample Fields:

        _time   detected_timestamp  event_id    signature   threat_handled

1    2014-05-05 15:27:16     1399331629.000  48234651    Common Standard Protection:Prevent modification of McAfee files and settings    true

2    2014-05-05 15:27:02     1399330812.000  48234650    none    true

3    2014-05-05 15:26:45     1399330406.000  48234649    Common Standard Protection:Prevent termination of McAfee processes  true
Tags (2)
0 Karma

Super Champion

Try this in props.conf in the sourcetype stanza for this input on the indexer.

TIME_PREFIX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+

0 Karma

Super Champion

This will not affect events that have already been indexed, and the splunkd will need to be restarted on the indexer.

0 Karma

Super Champion

Post an example of the log, and we can give you a configuration for Splunk to select the correct timestamp.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!