Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting correct timezone for mcafee logs in dbconnect

rsanders30
Path Finder
‎01-19-2018 11:24 PM

I have been having issues modifying the timezone for Mcafee logs. Currently, my logs are indexed as UTC, and I would like to change it to EST. I am currently on dbconnect 3.1.1 and have the Splunk Add-on for Mcafee 2.2.0 installed on my indexers and search heads (Splunk version 6.5.3). I am using the Mcafee template to query the db and the logs show the correct timestamp in Eastern timezone.

I've tried the following methods, but have not had success:

-adjusting the settings in the JVM option
-adjust the connections options to UTC and US/Eastern
-creating a SQL query
-changing the settings localTimezoneConversionEnabled to true/false

Appreciate the help.

Reply
1 Solution
Solved! Jump to solution
Solution

rsanders30
Path Finder
‎06-13-2018 08:53 AM

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rsanders30
Path Finder
‎06-13-2018 08:53 AM

So, here are the steps we completed to fix the our timestamp issue.

  • We updated our DB Connect to 3.1.1.
  • In the db connection configuration settings, we set the timezone to UTC ++00:00.
  • We chose the the detected_timestamp column instead of timestamp in our inputs.
  • We didn't modify the props.conf or db_connections.conf files (left as UTC).
  • I set my user settings to my timezone.
  • No changes were made to the McAfee template query regarding time.

The events are now showing as my local time. I hope this helps.

0 Karma
Reply
Solved! Jump to solution

gerald_contrera
Path Finder
‎06-12-2018 06:41 PM

Any updates on this issue?
I have the same issue after migrating from DBConnect v2 to v3.1.3
Using Add-on for McAfee 2.2.0
Our current workaround is to +10hrs to match our timezone, but this wont fly for Daylight savings unless we keep manually changing

Temp workaround at top of SQL query:
SELECT
dateadd (hour, 10 , [EPOEvents].[ReceivedUTC]) as [timestamp],

A permanent solution would be great. Not sure what changed from v2 to v3.1.3
I have also logged to splunk support so ill see what they come back with.

0 Karma
Reply
Solved! Jump to solution

bangalorep
Communicator
‎02-20-2018 08:31 PM

Hello! You can try changing the timezone in props.conf in etc/system/local/

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf

0 Karma
Reply
Solved! Jump to solution

johnebgood
Path Finder
‎02-20-2018 03:21 PM

Were you able to get this resolved? We're having the same problem and have hundreds of endpoints in different time zones.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...