Alerting

How do I adjust timezone settings for Cisco WSA data to set up accurate alerting?

kearaspoor
SplunkTrust
SplunkTrust

We have multiple Cisco WSA devices set up in each of the US timezones; each is set to log in local time. But it seems as if the WSA logs don't contain any kind of timezone indicator on them.

When I run a search in Splunk, using a user account in Central time, against a WSA device in Eastern time, I end up getting "future" events.
Example: ran a search at 8AM central against an eastern WSA device, there were events found with time-stamps of 9AM.

Likewise when I run a search looking for lag between index time and timestamp (again from a Central Time account):

index=wsa_system sourcetype="cisco:wsa:shd" CliConn=*  | eval lag=((_indextime-_time)/(60*60))

All our Eastern devices are reporting negative lag (future timestamps), Central devices are relatively real-time, Mountain devices have approx 1hr lag, Western devices have roughly 2hr lag.

I'm trying to set up alerts for high numbers of client connections and need to know:
1) Is there any way to adjust for these time off-sets at search time using our current logs?
2) Is there a way for Splunk to add the time off-sets/zone to the events at indexing time?
3) Is there a way to have the WSA devices add the timezone to the logs before sending? (Or will I need to make a business case that all the WSA devices should log in the same timezone regardless of physical location?)

Tags (4)

esix_splunk
Splunk Employee
Splunk Employee

You should set your timezone on the inputs.conf where you are ingesting the data. In the data source, use the

TZ=US/Eastern

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Propsconf

0 Karma

GDustin
Path Finder

TZ does not exist in inputs.conf.spec

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...