2

I have a question about how events arrive inside of a tool such as Splunk.

Currently, it appears that the way the plugin works is it will send the records over to the log collection application in question, placing the time stamp of the event in epoch time (located in the attributes of the event).

However, it would appear that within Splunk, it is marking the event time at which point it entered into Splunk.

So, for example, I have an event that happened two years ago, the time stamp on the event shows that and SailPoint shows that (even Splunk will show that if you drill into the event).

However, when I import into Splunk, let's say today (March 15, 2021), Splunk will show the event timestamp of today instead of when the actual event took place.

So when I am doing analytics, I can't actually look for when the event took place based on Splunk's timestamps (because Splunk is showing the day of import, not when the event took place): it won't actually be showing me events that took place two years ago.

Splunk would be showing those events that took place two years ago as events that took place today because that's when the events from SailPoint were imported into Splunk.

warren
  • 32,620
  • 21
  • 85
  • 124
Bob
  • 388
  • 5
  • 19

1 Answers1

1

It sounds like the event date is being set to the index date

What does your props.conf look like for setting the timestamp?

Based on your comment, you should add the following to the TA's local/props.conf:

TIME_PREFIX=\"created\": 
TIME_FORMAT=%s$3N
warren
  • 32,620
  • 21
  • 85
  • 124
  • 1
    Just wanted to add the following information that was specific to the adaptors that we added: the file location that I needed to edit was - C:\Program Files\Splunk\etc\apps\Splunk_TA_sailpoint\default\props.conf and the following needed to be added under each of the "types" starting with [sailpoint_identityiq_syslog_events]: TIME_PREFIX=\“created\“: TIME_FORMAT=%s$3N if you wouldn't mind updating your answer I would like to accept it as correct since it got me like 80% of the way where I needed to be :) – Bob Mar 16 '21 at 03:09
  • @Bob - you should make the change in `local/props.conf`, not `default/props.conf`, as items in `default/` can (and often will) be overwritten when the app updates :) – warren Mar 16 '21 at 12:48