About Alex00001

Alex00001 · ‎03-21-2023

Thank you for you advise, I wonder how can I modify events before indexing in wineventlog. And what make me confused is why splunk forwarder doesn't add timezone info in winevent logs. Although TZ can make `_time` equals to raw time in logs, that is not the real time log reported in my timezone and will add persistent work to remind others that we have some logs not in our timezone and blabla... I need to manage the log uniformly instead of divide it into different indexes by timezone. Thank you.

Alex00001 · ‎03-21-2023

Thank you for your answer. I had tried TZ attr, and as i know, it only change the timestamp but not change the time info in windows raw event. What I want is following image, I don't know if I made my problem clear.

Alex00001 · ‎03-20-2023

Timezone on my splunk indexer is GMT and windows machine is PST. I found that the metadata from Windows Eventlogs lose timezone info so that time in raw events is 8 hour earlier than `_time` which is real time in GMT. The influence is that all of these log will 8 hours earlier than the real time after a `collect` action. Such as the following image which just collect the datas into a new index. I want Windows Eventlogs can be added a timezone info or we can modify time info in windows splunk universal forwarder. I have tried change props.conf in forwarder and indexer but it change the timestamp but not raw events. What's more, I will not change system timezone on machine because unknown problems maybe imported into systems. Can I change the time info in Windows Eventlogs without change windows system timezone?

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎03-20-2023

Online Status	Offline
Date Last Visited	‎03-21-2023 04:14 AM

Windows Eventlogs from windows splunk universal fo...

Re: Windows Eventlogs from windows splunk universa...

Re: Windows Eventlogs from windows splunk universa...

Windows Eventlogs from windows splunk universal fo...