I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:
detected_timestamp=1299329385.000
My question is how can we have this detected_timestamp be automatically corrected to local time?
I can do it at search time but would rather find a better solution.
Sample Fields:
_time detected_timestamp event_id signature threat_handled
1 2014-05-05 15:27:16 1399331629.000 48234651 Common Standard Protection:Prevent modification of McAfee files and settings true
2 2014-05-05 15:27:02 1399330812.000 48234650 none true
3 2014-05-05 15:26:45 1399330406.000 48234649 Common Standard Protection:Prevent termination of McAfee processes true
Try this in props.conf in the sourcetype stanza for this input on the indexer.
MAX_TIMESTAMP_LOOKAHEAD = 21
TIME_PREFIX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+
This will not affect events that have already been indexed, and the splunkd will need to be restarted on the indexer.
Post an example of the log, and we can give you a configuration for Splunk to select the correct timestamp.