Timestamps Ignoring Timezone

bengoerz · ‎12-08-2017

I am having a problem where _time is extracted in the wrong timezone.

My McAfee Web Gateway is in CDT (TZ = Americas/Chicago), but _time is being extracted in UTC.

Here's an example event where Splunk shows _time = 12/8/17 2:18:58.000 AM:

Dec  8 08:18:58 usproxy43 mwg: McAfeeWG|time_stamp=[08/Dec/2017:08:18:58 -0600]|auth_user=User123|src_ip=172.16.0.2|server_ip=123.234.123.234|host=google.com|url_port=443|status_code=200|bytes_from_client=9247|bytes_to_client=415|categories=Search Engines|rep_level=Minimal Risk|method=POST|url=https://google.com/|media_type=application/x-empty|application_name=|user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36|block_res=0|block_reason=|virus_name=|hash=|filename=upload|filesize=0|

I was unsuccessful at trying to fix using TZ in props.conf on the Universal Forwarder:

[host::*proxy*]
TZ = America/Chicago

Is my problem with the TZ on the forwarder, or something in the app?

cpetterborg · ‎12-09-2017

Add the following to your props.conf file on the indexers, not the universal forwarders:

[host::*proxy*]
TIME_FORMAT=%d/%b/%Y:%T %z
TIME_PREFIX=\[

It has probably been taking the first date, instead of the one with later in the event that has the timezone information.

bengoerz · ‎12-12-2017

Thanks. I'm on Cloud, so going to take a while to get indexer changes implemented.

Out of curiosity, why don't we just do traditional field extraction on the Search Head?

cpetterborg · ‎12-12-2017

What do you consider traditional field extraction? Splunk best practice is to do field extraction on the search heads.

bengoerz · ‎12-12-2017

Right. This app does a bunch of fancy transforms, instead of just doing field extraction on the search heads per Splunk best practice. Why?

cpetterborg · ‎12-12-2017

What is the app? Is it from Splunkbase? Sometimes a developer wants to have all the fields extracted to make their searches faster (like if you need tstats speed), which is fine, UNTIL something changes in the format or similar change. It can also be a load on the indexers, which isn't good.

bengoerz · ‎12-12-2017

The app is Splunk Add-on for McAfee Web Gateway (http://apps.splunk.com/app/3009/).

BTW, I just created my own field extraction on the search heads as an alternate to this app. Posting the regex for posterity or comments:

time_stamp=\[(?P<time>[^"]*)]\|auth_user=(?P<user>[^"]*)\|src_ip=(?P<src_ip>[^"]*)\|server_ip=(?P<dest_ip>[^"]*)\|host=(?P<dest>[^"]*)\|url_port=(?P<dest_port>[^"]*)\|status_code=(?P<status>[^"]*)\|bytes_from_client=(?P<bytes_out>[^"]*)\|bytes_to_client=(?P<bytes_in>[^"]*)\|categories=(?P<category>[^"]*)\|rep_level=(?P<severity>[^"]*)\|method=(?P<http_method>[^"]*)\|url=(?P<url>[^"]*)\|media_type=(?P<http_content_type>[^"]*)\|application_name=(?P<application_name>[^"]*)\|user_agent=(?P<http_user_agent>[^"]*)\|block_res=(?P<action>[^"]*)\|block_reason=(?P<block_reason>[^"]*)\|virus_name=(?P<signature>[^"]*)\|hash=(?P<file_hash>[^"]*)\|filename=(?P<file_name>[^"]*)\|filesize=(?P<filesize>[^"]*)\|

saurabh_tek11 · ‎12-10-2017

@cpetterborg - i tried to do the solution in my test instance.
i am in Dubai which is UTC+4

My space instance is showing the _time for this event after applying above answered props is

12/8/17
6:18:58.000 PM

Is this correct for my splunk instance to show ?

Considering event has UTC -6 and +4 for my location = event time -2 in my location.
Just want to validate if i am thinking it right way ??

cpetterborg · ‎12-10-2017

That looks correct to me. I started by figuring out what it should be, then comparing with your answer so that I wouldn't be swayed, and I got the same answer. I believe that has worked for you.

Timestamps Ignoring Timezone

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes