How do I convert time stamp from UTC to local tim...

digital_alchemy · ‎05-05-2014

I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:

detected_timestamp=1299329385.000

My question is how can we have this detected_timestamp be automatically corrected to local time?

I can do it at search time but would rather find a better solution.

Sample Fields:

        _time   detected_timestamp  event_id    signature   threat_handled

1    2014-05-05 15:27:16     1399331629.000  48234651    Common Standard Protection:Prevent modification of McAfee files and settings    true

2    2014-05-05 15:27:02     1399330812.000  48234650    none    true

3    2014-05-05 15:26:45     1399330406.000  48234649    Common Standard Protection:Prevent termination of McAfee processes  true

lukejadamec · ‎05-05-2014

Try this in props.conf in the sourcetype stanza for this input on the indexer.

MAX_TIMESTAMP_LOOKAHEAD = 21 TIME_PREFIX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+

lukejadamec · ‎05-05-2014

This will not affect events that have already been indexed, and the splunkd will need to be restarted on the indexer.

lukejadamec · ‎05-05-2014

Post an example of the log, and we can give you a configuration for Splunk to select the correct timestamp.

How do I convert time stamp from UTC to local time at index time?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk