Dear Splunkers,
Sorry about this, but I never did such thing before...
My Splunk is in EU and now I added PaloAlto firewall logs (collected by a Syslog and UF pushing them to Splunk) from AUS.
The timestamping is wrong.
First of all the today's events (11/06) are indexed on11th of Jun (06/11). On the top, it is indexed two hours ahead than the current time.
now the events look like this :
11/06/2020 13:45:43.000 | 06-11-2020 21:45:43 User.Info 10.180.160.41 Nov 6 21:45:43 Firewall.device.name 1, .......................................................... |
I'm using the Palo Alto add-on default for the source type, just the time zone changed to Sydney. (Timestamp prefix : ^(?:[^,]*,){5} ; Lookahead 100)
Could you please advise what I should do? (what will happen if I will have the same source type logs to the same index but from a different timezone? )
Regards,
Norbert
Hi @norbertt911 the props.conf setting on timestamp recognition got some issues. Can you copy paste your props/transforms here(after hiding the hostname values)
Meanwhile, I found it 🙂
The Palo alto add-on permission was limited to the app, not Global. So if I search in Paloalto app it is ok, but that strange behavior in the default Search app.
Only the "bonus" question left. What will happen if I will have the same source type but from a different time zone? I should clone the original pan:log source type with a different time zone setting and add this new source type to props/transforms.conf?