Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting correct timezone for mcafee logs in dbconnect

rsanders30
Path Finder
‎01-19-2018 11:24 PM

I have been having issues modifying the timezone for Mcafee logs. Currently, my logs are indexed as UTC, and I would like to change it to EST. I am currently on dbconnect 3.1.1 and have the Splunk Add-on for Mcafee 2.2.0 installed on my indexers and search heads (Splunk version 6.5.3). I am using the Mcafee template to query the db and the logs show the correct timestamp in Eastern timezone.

I've tried the following methods, but have not had success:

-adjusting the settings in the JVM option
-adjust the connections options to UTC and US/Eastern
-creating a SQL query
-changing the settings localTimezoneConversionEnabled to true/false

Appreciate the help.

Reply
1 Solution
Solved! Jump to solution
Solution

rsanders30
Path Finder
‎06-13-2018 08:53 AM

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rsanders30
Path Finder
‎06-13-2018 08:53 AM

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

0 Karma
Reply
Solved! Jump to solution

gerald_contrera
Path Finder
‎06-12-2018 06:41 PM

Any updates on this issue?
I have the same issue after migrating from DBConnect v2 to v3.1.3
Using Add-on for McAfee 2.2.0
Our current workaround is to +10hrs to match our timezone, but this wont fly for Daylight savings unless we keep manually changing

Temp workaround at top of SQL query:
SELECT
dateadd (hour, 10 , [EPOEvents].[ReceivedUTC]) as [timestamp],

A permanent solution would be great. Not sure what changed from v2 to v3.1.3
I have also logged to splunk support so ill see what they come back with.

0 Karma
Reply
Solved! Jump to solution

bangalorep
Communicator
‎02-20-2018 08:31 PM

Hello! You can try changing the timezone in props.conf in etc/system/local/

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf

0 Karma
Reply
Solved! Jump to solution

johnebgood
Path Finder
‎02-20-2018 03:21 PM

Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...