Getting Data In

Wrong timestamp Palo Alto

Path Finder

Dear Splunkers,

Sorry about this, but I never did such thing before...

My Splunk is in EU and now I added PaloAlto firewall logs (collected by a Syslog and UF pushing them to Splunk) from AUS.

The timestamping is wrong.

First of all the today's events (11/06) are indexed on11th of Jun (06/11).  On the top, it is indexed two hours ahead than the current time.

now the events look like this :

06-11-2020 21:45:43 User.Info Nov 6 21:45:43 1, ..........................................................


I'm using the Palo Alto add-on default for the source type, just the time zone changed to Sydney.  (Timestamp prefix : ^(?:[^,]*,){5}   ;   Lookahead 100)

Could you please advise what I should do? (what will happen if I  will have the same source type logs to the same index but from a different timezone? ) 



Labels (2)
0 Karma

Super Champion

Hi @norbertt911 the props.conf setting on timestamp recognition got some issues. Can you copy paste your props/transforms here(after hiding the hostname values)

Path Finder

Meanwhile, I found it 🙂

The Palo alto add-on permission was limited to the app, not Global. So if I search in Paloalto app it is ok, but that strange behavior in the default Search app.

Only the "bonus" question left. What will happen if I will have the same source type but from a different time zone? I should clone the original pan:log source type with a different time zone setting and add this new source type to props/transforms.conf?


0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...