How can we get cribl to keep the time within the log?

Is your data coming into Splunk without a time field?

Yeah, I also don't really get the question

We thought by using auto timestamp and setting it to local would keep the local tme.

sorry, I was going to add more detail but got called away. The time in the event, is the local time for the system where the log is generated. We do not want Splunk or Cribl to adjust the time

There are no other timestamps in the event, other than the first one. Here is a snip of the raw event.2023/03/07 10:52:49.815 stAgentSvc p581c t34f0 info tunnel.cpp:841 nsTunnel TLS [sessId 1] Tunneling flow

What is the timestamp you are expecting from the original event in Cribl? I can think of a few ways to maintain that is its in the Cribl _raw

Local means the timezone on the Cribl worker itself. If you want to adjust the time to UTC, then you'll need to specify UTC in the "Default Timezone" box.I would also encourage you to adjust this on your Event Breaker/Source. For Syslog, this is under Advanced Settings.

Are Cribl and that source running on the same timezone?

If not, how should Cribl (or Splunk) crystalbally guess the timezone on the remote box?

Also, the display in Splunk is based on the Splunk users timezone setting

Yeah, then that's the issue you have

The logs are from systems all over the world, and it looks like the log entry uses the system time.

Syslog is an old and crappy standard that never included timezones because, to be fair, when it was invented nobody thought about worldwide log collection and stuff

My $0.02 here... use a lookup to determine the sender's timezone. Use this to then feed to the `C.Time.adjustTz()` function.I do this in the PAN pack. https://github.com/criblpacks/cribl-palo-alto-networks/blob/master/default/pipelines/pan_traffic/conf.yml#L227-L228

these are not syslog, these are collected via the Splunk UF installed on the system

Ah, you're right, my concentration was disturbed by a 4 year old gremlin

Mh, UFs should transport the system time zone but I vaguely remember that that doesn't work super well and/or wasn't supported by Cribl

yep, that is what is odd. I do not remember really ever running into this before

I assume most of the time your logs had timezone info, or the sender and Cribl where in the same time zone

Default Time Zone for the Splunk TCP source is also `Local` . <@UQA16GHUN&gt; can you run the command `date` on your Stream worker to see the configured time zone?

You can use C.Time.strftime and grab the Cribl raw _time and convert all of it to UTC if you're looking for a singular time zone use. The last parameter of True/False is the setting you'll want to look at

The issue here is that these logs come from a timezone different than the Cribl timezone and that zone information is missing from the event

I see what you're saying

So you effectively have to keep a lookup or something else to derive the timezone from hostname etc

Or, what you can do, if your logs have no delay, determine difference between recognized timestamp and current time. That delay is likely very close to a multiple of 1 hour. If that's the case, use that multiple and add/subtract it from the timestamp