Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit props.conf to adjust the default UTC timestamp?

Hegemon76
Communicator
‎08-23-2016 11:56 AM

Hello,

I'm trying to adjust this raw data seen below. Our office is EST and the FireEye appliance is BST, but the test alerts I'm generating are coming in UTC. I've looked all over the place to change this:

8/23/16 
2:09:48.000 PM  
<162>fenotify-3386.crit: CEF:0|FireEye|MPS|7.8.1.468932|MC|malware-callback|7|rt=Aug 23 2016 18:04:23 UTC

I made a props.conf in the local directory for the search app and put this inside but it doesn't seem to be working either.

[fe_alert]
TIME_PREFIX = ^\d+\w+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%BST
MAX_TIMESTAMP_LOOKAHEAD = 28

Any help would be appreciated.

Thank You

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-23-2016 02:30 PM

You can use TZ atribute
from props.conf docs

TZ = <timezone identifier>
* The algorithm for determining the time zone for a particular event is as
  follows:
* If the event has a timezone in its raw text (for example, UTC, -08:00),
  use that.
* If TZ is set to a valid timezone string, use that.
* If the event was forwarded, and the forwarder-indexer connection is using
  the 6.0+ forwarding protocol, use the timezone provided by the forwarder.
* Otherwise, use the timezone of the system that is running splunkd.
* Defaults to empty.

I would suggest, if possible, using a forwarder on the other location so anything that comes from there, like your appliancedata, gets the proper time and you don't need to set it in the sourcetype stanza.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

Hegemon76
Communicator
‎08-23-2016 02:40 PM

Thanks for your response but you obviously copied and pasted whats in the props.conf documentation....I've already looked at that....

0 Karma
Reply

Hegemon76
Communicator
‎08-23-2016 03:57 PM

At this point I would settle for using an eval command to change my time 8/23/16 6:50:17.000 PM to BST

Is that even possible?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...