Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to handle multiple timezone when getting the paloalto firewall logs in?

Iris_Pi
Path Finder
‎08-19-2024 02:37 AM

Hello Guys,

We have paloalto firewalls with different timezone settings. For the ones which is not in the same timezone as Splunk, their logs will be considered as the logs of the future and hence cannot be searched in Splunk in a timely manner.

I cannot fix it by specifying timezone for the source types provided by the paloalto TA, since it cannot fulfill multiple time zones at the same time.

I wonder if you have experienced the similar problem, if yes, would you please share your experience on handling this kind of issue?

Thanks much for your help in advance!

Regards,
Iris

Labels (1)
Labels
0 Karma
Reply

Iris_Pi
Path Finder
‎08-21-2024 01:59 AM

My problem was solved by creating a private app with a customized props.conf file, which defines different TZ for different hosts like showed as below:

[host::hostA]
TZ = xxx

[host::hostB]
TZ = xxx

0 Karma
Reply

KendallW
Contributor
‎08-19-2024 06:19 PM

Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf. 

 

Reply

Iris_Pi
Path Finder
‎08-19-2024 11:42 PM

Hello @KendallW,

Can you please help on a follow up question? In my case, I'm using HEC to get the logs in, the "source::" spec cannot distinguish the firewalls, can I use "host::" instead?

0 Karma
Reply

KendallW
Contributor
‎08-21-2024 10:57 PM

Hi @Iris_Pi , yes, as per the documentation:

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-22-2024 12:27 AM

One caveat though - the host field might be being parsed out from the raw message during ingestion. In such case you can't use it for specifying props stanza.

0 Karma
Reply

Iris_Pi
Path Finder
‎08-19-2024 06:41 PM

Thanks much for your reply!
I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...