Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to change timestamp in activity log from UTC?

meshorer
Path Finder
‎04-04-2024 10:09 AM

hello all,

 

I noticed that timestamp in activity log is in UTC, and also while using timer app and in the event name adding "$now()" ,the timestamp is also UTC.

it is not the time zone I defined in the user settings nor in the administration/company settings.

is there a way to change the time zone from UTC to different time?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Builder
‎04-09-2024 01:31 PM

Unfortunately you'd have to change the python code to do this, at least for the timer app. If you open the timer_connector.py in $SOAR_HOME$/apps/timer_*/, then it formats the event name with this function:

    def _format_event_name(self):
        config = self.get_config()
        event_name = self._handle_py_ver_compat_for_input_str(config['event_name'])

        iso_now = datetime.datetime.now(pytz.utc).isoformat()
        label_name = config.get('ingest', {}).get('container_label', '')

        event_name = re.sub(
            r'(^|[^0-9a-zA-Z]+)(\$now)($|[^0-9a-zA-Z]+)',
            r'\g<1>{}\g<3>'.format(iso_now),
            event_name
        )

the time for the $now token is obtained from datetime.datetime.now(pytz.utc).isoformat() , explicitly setting the timezone to UTC.

I have not looked for the code writing the activity log but would assume it is the same.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Builder
‎04-09-2024 01:31 PM

Unfortunately you'd have to change the python code to do this, at least for the timer app. If you open the timer_connector.py in $SOAR_HOME$/apps/timer_*/, then it formats the event name with this function:

    def _format_event_name(self):
        config = self.get_config()
        event_name = self._handle_py_ver_compat_for_input_str(config['event_name'])

        iso_now = datetime.datetime.now(pytz.utc).isoformat()
        label_name = config.get('ingest', {}).get('container_label', '')

        event_name = re.sub(
            r'(^|[^0-9a-zA-Z]+)(\$now)($|[^0-9a-zA-Z]+)',
            r'\g<1>{}\g<3>'.format(iso_now),
            event_name
        )

the time for the $now token is obtained from datetime.datetime.now(pytz.utc).isoformat() , explicitly setting the timezone to UTC.

I have not looked for the code writing the activity log but would assume it is the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...