I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:
My question is how can we have this detected_timestamp be automatically corrected to local time?
I can do it at search time but would rather find a better solution.
_time detected_timestamp event_id signature threat_handled
1 2014-05-05 15:27:16 1399331629.000 48234651 Common Standard Protection:Prevent modification of McAfee files and settings true
2 2014-05-05 15:27:02 1399330812.000 48234650 none true
3 2014-05-05 15:26:45 1399330406.000 48234649 Common Standard Protection:Prevent termination of McAfee processes true