Hi All, Currently we are facing an problem in time stamp for a Symantec log data.
Problem: When we search with the below query, we could see that the splunk _time field is different from the event's "time" field.
Query details:
index=sem sourcetype="symantec:tap:incidents" time="2017-12-04T17:19:06.606Z"
Event detail:
12/4/17
12:26:52.000 PM
{ [-]
tap_host: 10.140.37.7
tap_incident_id: 104649
deviceUid: [ [+]
]
device_time: 2017-12-04T17:19:06.606Z
domainId: [ [+]
]
event_count: 6
filehash: [ [+]
]
first_event_seen: 2017-12-04T16:30:08.000Z
last_event_seen: 2017-12-04T17:10:37.000Z
log_name: epmp_incident-2017-12-04/incident
priority_level: 1
recommended_action: If this site is not business critical, consider adding it to the Blacklist. Otherwise, consider creating a sinkhole server in your DNS to block the site.
state: 1
summary: Multiple malicious behaviors have been detected from xxxx.sharepoint.com.
time: 2017-12-04T17:19:06.606Z
updated: 2017-12-04T17:19:07.193Z
uuid: 3ba258e0-d917-11e7-e89d-00000000005a
}
Show as raw text
eventtype = nix_errors error host = splunk01.xxxx.com source = symantec_tap sourcetype = symantec:tap:incidents
From the Event Action, I could see that in the event time field "2017-12-04T17:19:06.606Z" and in the _time field as "2017-12-04 12:26:52" for the same event, "_time" is not equal to "time".
_time is being calculated based on when it was indexed instead of when it was an event.
**Props.conf details**: We have placed this configuration in Heavy forwarder where the data first reaches the splunk then gets ingested into indexer.
[symantec:tap:incidents]
SHOULD_LINEMERGE = false
FIELDALIAS-event_host = tap_host as event_host
FIELDALIAS-dest = domainId{} as dest
FIELDALIAS-file_hash = filehash{} as file_hash
FIELDALIAS-severity_id = priority_level as severity_id
KV_MODE = json
TRUNCATE = 0
TIME_PREFIX=time:\s
TIME_FORMAT=%FT%T.%3N
MAX_TIMESTAMP_LOOKAHEAD=32
TZ=EDT
Question :
How to make the _time field be the same as the time field ?
Kindly guide me on this.
↧