All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timezone not parsed correctly in FireEye NX JSON logs

awurster
Contributor
‎06-16-2015 09:41 PM

not sure why exactly the time stuff is commented out in the TA code, but i found that timestamps were not parsed correctly when sending our events from an NX appliance to Splunk via JSON / HTTPS and the FireEye TA v3.

event data:

...
"occurred": "2015-06-17 03:25:55+00", 
"id": "1", 
"action": "notified", 
"interface": {
"mode": "tap"
...

i found that i had to uncomment out and adjust the two TIME_ fields below to get things working.

###### FireEye JSON over HTTPS ######
# Universal Handler for FireEye JSON notifications (pre and post FireEye OS 7.1)
[fe_json]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
KV_MODE = JSON
#TIME_PREFIX = \"occurred\"\:\s
#TIME_FORMAT = \"%Y-%m-%d %H:%M:%S+00\"

i think it should be the following, but it's not working for me. i've tried with and without quotes.

[fe_json]
...
TIME_PREFIX = "occurred"\:\s
TIME_FORMAT = "%Y-%m-%d %H:%M:%S%Z"
0 Karma
Reply

TonyLeeVT
Builder
‎06-17-2015 03:49 AM

Your observation is correct. I believe the latest version of the appliance added an "appliance-id" field which caused an error with time parsing. That bug fix will be in version 3.0.7.

The fix will be the following:

[fe_json]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))
KV_MODE = JSON
TIME_PREFIX = \"occurred\"\:\s
TIME_FORMAT = \"%Y-%m-%d %H:%M:%S+00\"
TZ = UTC

Thanks for reporting it.

Reply

awurster
Contributor
‎06-17-2015 09:13 PM

thanks tony. this is cool, but it's sort of a hack, masking the original problem. i don't know if it has much to do with any appliance-id field.

i don't believe a two digit TZ code is standard. just tell the engineers to send a proper strftime variable, then splunk would automatically parse it. use either %z or %Z:
https://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.2.3/data/Applytimezoneoffsetstotimestamps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...