Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I convert time stamp from UTC to local time at index time?

digital_alchemy
Path Finder
‎05-05-2014 12:28 PM

I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:

detected_timestamp=1299329385.000

My question is how can we have this detected_timestamp be automatically corrected to local time?

I can do it at search time but would rather find a better solution.

Sample Fields:

        _time   detected_timestamp  event_id    signature   threat_handled

1    2014-05-05 15:27:16     1399331629.000  48234651    Common Standard Protection:Prevent modification of McAfee files and settings    true

2    2014-05-05 15:27:02     1399330812.000  48234650    none    true

3    2014-05-05 15:26:45     1399330406.000  48234649    Common Standard Protection:Prevent termination of McAfee processes  true
Tags (2)
0 Karma
Reply

lukejadamec
Super Champion
‎05-05-2014 01:04 PM

Try this in props.conf in the sourcetype stanza for this input on the indexer.

MAX_TIMESTAMP_LOOKAHEAD = 21
TIME_PREFIX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+

0 Karma
Reply

lukejadamec
Super Champion
‎05-05-2014 01:05 PM

This will not affect events that have already been indexed, and the splunkd will need to be restarted on the indexer.

0 Karma
Reply

lukejadamec
Super Champion
‎05-05-2014 12:37 PM

Post an example of the log, and we can give you a configuration for Splunk to select the correct timestamp.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...