Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eventtime(_time) is showing 5hours prior to indextime

djreschke
Communicator
‎12-18-2020 04:54 AM

Good morning everyone, 

I have a source type that is showing the event time as 5 hours prior to indextime. I have tried adding the TZ stanza to the TA as we are current in the America\New_York TZ and after a restart the issue is still occuring. 

This is a syslog input where Splunk has a monitor input configured and the data is being ingested from there. I am at a loss as to what else to try or look at since I haven't had any luck yet. 

The TA is pushed from a DS to the search and the props.conf has been updated from that point. 

Thank you any help in advanced.

Search for the below information was found from this link: 

https://community.splunk.com/t5/Getting-Data-In/Incorrect-event-time-in-Splunk/m-p/136662

 

 _time delay indextime date_zone host source sourcetype _raw

2020-12-18 01:56:191800112/18/2020 06:56:2001.1.1.1/var/log/syslog-ng/fireeye_hx/1.1.1.1/1.1.1.1_2020-12-18.loghx_cef_syslog2020-12-18T06:56:19+00:00 1.1.1.1 cef[18505]: CEF:0|fireeye|hx|5.0.2|Malware Hit Found|Malware Hit Found|10|rt=Dec 18 2020 11:56:19 UTC dvchost=xxxx deviceExternalId=xxxx categoryDeviceGroup=/IDS categoryDeviceType=Malware Protection categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=hash dst=x.x.x.x dmac=xx-xx-xx-xx-xx-xx dhost=MAC1 dntdom=xyz deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Dec 18 2020 07:52:21 UTC cs2Label=FireEye Agent Version cs2=x.x.x cs5Label=Target GMT Offset cs5=-PT5H cs6Label=Target OS cs6=somemachine externalId=24807616 start=Dec 18 2020 11:56:00 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=malware cs12Label=Malware Category cs12=file-event act=Detection MAL Hit msg=Host xxxx Malware alert categoryTupleDescription=Malware Protection found a compromise indication. cs4Label=Process Name cs4=Process categoryTechnique=Malware cs13Label=Malware Engine cs13=AV

 

Labels (1)
Labels
0 Karma
Reply

djreschke
Communicator
‎12-18-2020 04:55 AM

index=xyz sourcetype=hx_cef_syslog host=1.1.1.1 
| convert ctime(_indextime) AS indextime
| eval delay=_indextime-_time
| table _time delay indextime date_zone host source sourcetype _raw

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...