Good morning everyone,
I have a source type that is showing the event time as 5 hours prior to indextime. I have tried adding the TZ stanza to the TA as we are current in the America\New_York TZ and after a restart the issue is still occuring.
This is a syslog input where Splunk has a monitor input configured and the data is being ingested from there. I am at a loss as to what else to try or look at since I haven't had any luck yet.
The TA is pushed from a DS to the search and the props.conf has been updated from that point.
Thank you any help in advanced.
Search for the below information was found from this link:
https://community.splunk.com/t5/Getting-Data-In/Incorrect-event-time-in-Splunk/m-p/136662
_time delay indextime date_zone host source sourcetype _raw
2020-12-18 01:56:19 | 18001 | 12/18/2020 06:56:20 | 0 | 1.1.1.1 | /var/log/syslog-ng/fireeye_hx/1.1.1.1/1.1.1.1_2020-12-18.log | hx_cef_syslog | 2020-12-18T06:56:19+00:00 1.1.1.1 cef[18505]: CEF:0|fireeye|hx|5.0.2|Malware Hit Found|Malware Hit Found|10|rt=Dec 18 2020 11:56:19 UTC dvchost=xxxx deviceExternalId=xxxx categoryDeviceGroup=/IDS categoryDeviceType=Malware Protection categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=hash dst=x.x.x.x dmac=xx-xx-xx-xx-xx-xx dhost=MAC1 dntdom=xyz deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Dec 18 2020 07:52:21 UTC cs2Label=FireEye Agent Version cs2=x.x.x cs5Label=Target GMT Offset cs5=-PT5H cs6Label=Target OS cs6=somemachine externalId=24807616 start=Dec 18 2020 11:56:00 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=malware cs12Label=Malware Category cs12=file-event act=Detection MAL Hit msg=Host xxxx Malware alert categoryTupleDescription=Malware Protection found a compromise indication. cs4Label=Process Name cs4=Process categoryTechnique=Malware cs13Label=Malware Engine cs13=AV |
index=xyz sourcetype=hx_cef_syslog host=1.1.1.1
| convert ctime(_indextime) AS indextime
| eval delay=_indextime-_time
| table _time delay indextime date_zone host source sourcetype _raw