Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I adjust timezone settings for Cisco WSA data to set up accurate alerting?

kearaspoor
SplunkTrust
SplunkTrust
‎01-21-2016 06:56 AM

We have multiple Cisco WSA devices set up in each of the US timezones; each is set to log in local time. But it seems as if the WSA logs don't contain any kind of timezone indicator on them.

When I run a search in Splunk, using a user account in Central time, against a WSA device in Eastern time, I end up getting "future" events.
Example: ran a search at 8AM central against an eastern WSA device, there were events found with time-stamps of 9AM.

Likewise when I run a search looking for lag between index time and timestamp (again from a Central Time account):

index=wsa_system sourcetype="cisco:wsa:shd" CliConn=*  | eval lag=((_indextime-_time)/(60*60))

All our Eastern devices are reporting negative lag (future timestamps), Central devices are relatively real-time, Mountain devices have approx 1hr lag, Western devices have roughly 2hr lag.

I'm trying to set up alerts for high numbers of client connections and need to know:
1) Is there any way to adjust for these time off-sets at search time using our current logs?
2) Is there a way for Splunk to add the time off-sets/zone to the events at indexing time?
3) Is there a way to have the WSA devices add the timezone to the logs before sending? (Or will I need to make a business case that all the WSA devices should log in the same timezone regardless of physical location?)

Tags (4)
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-21-2016 04:04 PM

You should set your timezone on the inputs.conf where you are ingesting the data. In the data source, use the 

TZ=US/Eastern

http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Propsconf

0 Karma
Reply

GDustin
Path Finder
‎12-04-2019 02:18 AM

TZ does not exist in inputs.conf.spec

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...