Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple Time Sources in Event Log

willadams
Contributor
‎04-08-2020 10:28 PM

I have an event in my log that contains the following information

* Event Time
* Post Event Time 1
* Post Event Time 2
* Post Event Time 3

The original event sends the time as UTC+0. I have adjusted my sourcetype to set the TZ as required and the logs are now coming in with the appropriate offset into SPLUNK instance. For example the TZ is set to +8. If my time was 12:30pm then the log comes through as follows for example:

* Event Time ==> 12:30pm 09/04/2020 ==> this is accurate as my props is doing what I want it to do.


The problem is that the other time fields in the event (the source is CEF) show as "alphabetic" fields (string) so not true times. 

* PostTime1 ==> APR 09 04:30:00
* PostTime2 ==> APR 09 04:30:00
* PostTime 3 ==> APR 09 04:30:00

I can adjust the times by using strp/strf time to get what I need but what I would like to know is can I do this at ingest time (so via something like props/transforms) as opposed to in a search? The Event Time (ingest time) works exactly as required so that doesnt need to change. This is purely for the other non "_time" fields.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-09-2020 01:12 AM

add TZ_ALIAS and use TRANSFORMS and INGEST_EVAL on transforms.conf

0 Karma
Reply

willadams
Contributor
‎04-09-2020 03:08 AM

I assume you mean TZ_ALIAS?

Ingest eval I have not used before. The doco says only works for indexed time so it doesnt seem to meet my requirement...? Is there any example code on how this would be done?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...