zeek ts conversion

venkatesh_bandari · October 30, 2019, 3:31am

Hello team,

we are doing a zeek poc.iam doing the integration with splunk.in the spunk logs i see the ts value which is not in human readable format.zeek-cut/bro-cut on the box can be used to convert ts to human readable format using -d

the question is how can i do this before sending the json logs to splunk.is there a way

Thanks
Venkatesh

Seth_Hall2 · October 31, 2019, 12:08pm

In local.bro, add the following line…

redef LogAscii::json_timestamps = JSON::TS_ISO8601;

That should make your log have timestamps in ISO8601 time format which most systems natively recognize and understand.

.Seth

venkatesh_bandari · November 1, 2019, 11:17am

Thank you Seth

Topic		Replies	Views
How to write TSV logs with ISO timestamps Zeek	2	265	November 3, 2022
Timestamp conversion code Zeek	3	84	May 6, 2022
bro_json-logs Zeek	6	92	May 6, 2022
bro logging gzip Zeek	1	99	May 6, 2022
I miss cf Zeek	2	37	May 6, 2022

zeek ts conversion

Related Topics