I am working on demo using Splunk. I have a tool which uploads json data to Windows Event Log and Splunk UW forwards the data to Splunk instance (on the same machine). The json event has a field called timestamp which I plan to use for event time in splunk. I also want to interpret timestamp as from a different timezone (Europe/Lisbon). I have changed the file $SPLUNK_HOME/etc/system/local/props.conf and added:
[source::WinEventLog*]
TIME_PREFIX=timestamp
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TZ=Europe/Lisbon
MAX_TIMESTAMP_LOOKAHEAD=30
MAX_DAYS_AGO=1000
I expect the event in splunk to show the time of the event as that in timestamp field and also changed by 8 hours since my computer region is PST. But it doesnt seem to have any effect on the time. The event time is shown as the time event was posed to Windows Event log. Here is a sample event:
11/14/2019 07:39:41 PM
LogName=CustomLog
SourceName=ECEventLogProvider
EventCode=256
EventType=4
Type=Information
ComputerName=CHECHI
TaskCategory=Network Events
OpCode=None
RecordNumber=40498
Keywords=Classic
Message={
"country" : "United Kingdom",
"description" : "Sample",
"deviceId" : "Computer748",
"event_id" : "34",
"id" : "29",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "Sample",
"system_state" : "S4/S5",
"timestamp" : "2019-11-12 23:43:06",
"timestamp_accuracy" : "Accurate"
}
The event time in splunk search shows as 11/14/2019 07:39:41 PM. I would expect it to be 2019-11-12 15:43:06
↧