Hello,
What is the best way to handle a scripted input so that it echoes the date in a format Splunk can interpret easiest?
Currently I use the date command, example:
echo "`date` permission=\"BLOCKED\" user=\"$item\""
It echoes to stdout as:
Sat Sep 24 08:30:32 EST 2016 permission="ALLOWED" user="root"
In this case the EST is Australian (Sidney) timezone.
cat /etc/sysconfig/clock
ZONE="Australia/Sydney"
UTC=true
ARC=false
Splunk search heads and indexers are in US time zones so I'm receiving "delayed" data whereby searching for this data for the last hour is actually data from many hours ago.
How do I avoid this behavior for my international systems?
Thank you.
↧