Getting Data In

How do I convert time stamp from UTC to local time at index time?

digital_alchemy
Path Finder

I have McAfee logs that contain going into Splunk and the event time is populated with the time that the event is actually reported; however, there is another time stamp called "detected_timestamp" that contains the actual time of detection. This detected_timestamp is being as displayed as UTC time as in this example:

detected_timestamp=1299329385.000

My question is how can we have this detected_timestamp be automatically corrected to local time?

I can do it at search time but would rather find a better solution.

Sample Fields:

        _time   detected_timestamp  event_id    signature   threat_handled

1    2014-05-05 15:27:16     1399331629.000  48234651    Common Standard Protection:Prevent modification of McAfee files and settings    true

2    2014-05-05 15:27:02     1399330812.000  48234650    none    true

3    2014-05-05 15:26:45     1399330406.000  48234649    Common Standard Protection:Prevent termination of McAfee processes  true
Tags (2)
0 Karma

lukejadamec
Super Champion

Try this in props.conf in the sourcetype stanza for this input on the indexer.

MAX_TIMESTAMP_LOOKAHEAD = 21
TIME_PREFIX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+

0 Karma

lukejadamec
Super Champion

This will not affect events that have already been indexed, and the splunkd will need to be restarted on the indexer.

0 Karma

lukejadamec
Super Champion

Post an example of the log, and we can give you a configuration for Splunk to select the correct timestamp.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!