Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit props.conf to adjust the default UTC timestamp?

Hegemon76
Communicator
‎08-23-2016 11:56 AM

Hello,

I'm trying to adjust this raw data seen below. Our office is EST and the FireEye appliance is BST, but the test alerts I'm generating are coming in UTC. I've looked all over the place to change this:

8/23/16 
2:09:48.000 PM  
<162>fenotify-3386.crit: CEF:0|FireEye|MPS|7.8.1.468932|MC|malware-callback|7|rt=Aug 23 2016 18:04:23 UTC

I made a props.conf in the local directory for the search app and put this inside but it doesn't seem to be working either.

[fe_alert]
TIME_PREFIX = ^\d+\w+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%BST
MAX_TIMESTAMP_LOOKAHEAD = 28

Any help would be appreciated.

Thank You

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-23-2016 02:30 PM

You can use TZ atribute
from props.conf docs

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using
  the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

I would suggest, if possible, using a forwarder on the other location so anything that comes from there, like your appliancedata, gets the proper time and you don't need to set it in the sourcetype stanza.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

Hegemon76
Communicator
‎08-23-2016 02:40 PM

Thanks for your response but you obviously copied and pasted whats in the props.conf documentation....I've already looked at that....

0 Karma
Reply

Hegemon76
Communicator
‎08-23-2016 03:57 PM

At this point I would settle for using an eval command to change my time 8/23/16 6:50:17.000 PM to BST

Is that even possible?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...