topic time indexing not correct in Deployment Architecture https://community.splunk.com/t5/Deployment-Architecture/time-indexing-not-correct/m-p/214920#M23749 <P><IMG src="https://community.splunk.com/storage/temp/67251-capture.png" alt="alt text" /></P> <P>Hi attached is the image which shows there is a difference in the Time field and the actual time which comes from the input file getting indexed with column name alertdate. <BR /> so that means the index time and alertdate are not in sync which is incorrect right . Can you help me here. </P> <P>I am using below configuration. <BR /> props.conf<BR /> [zbxAlertReport]<BR /> SHOULD_LINEMERGE = false<BR /> INDEXED_EXTRACTIONS = csv<BR /> FIELD_DELIMITER = ,<BR /> FIELD_NAMES = alerthost,hostname,alertname,alertstatus,alertseverity,alertdate<BR /> TIMESTAMP_FIELDS = date<BR /> TIME_FORMAT = %a%b%d%H:%M:%S%Y<BR /> category = Structured<BR /> MAX_TIMESTAMP_LOOKAHEAD = 500</P> <P>transforms.conf<BR /> [zbxAlertReport]<BR /> filename = ZbxDailyReport.csv</P> Tue, 29 Sep 2020 07:46:42 GMT splunksurekha 2020-09-29T07:46:42Z time indexing not correct https://community.splunk.com/t5/Deployment-Architecture/time-indexing-not-correct/m-p/214920#M23749 <P><IMG src="https://community.splunk.com/storage/temp/67251-capture.png" alt="alt text" /></P> <P>Hi attached is the image which shows there is a difference in the Time field and the actual time which comes from the input file getting indexed with column name alertdate. <BR /> so that means the index time and alertdate are not in sync which is incorrect right . Can you help me here. </P> <P>I am using below configuration. <BR /> props.conf<BR /> [zbxAlertReport]<BR /> SHOULD_LINEMERGE = false<BR /> INDEXED_EXTRACTIONS = csv<BR /> FIELD_DELIMITER = ,<BR /> FIELD_NAMES = alerthost,hostname,alertname,alertstatus,alertseverity,alertdate<BR /> TIMESTAMP_FIELDS = date<BR /> TIME_FORMAT = %a%b%d%H:%M:%S%Y<BR /> category = Structured<BR /> MAX_TIMESTAMP_LOOKAHEAD = 500</P> <P>transforms.conf<BR /> [zbxAlertReport]<BR /> filename = ZbxDailyReport.csv</P> Tue, 29 Sep 2020 07:46:42 GMT https://community.splunk.com/t5/Deployment-Architecture/time-indexing-not-correct/m-p/214920#M23749 splunksurekha 2020-09-29T07:46:42Z Re: time indexing not correct https://community.splunk.com/t5/Deployment-Architecture/time-indexing-not-correct/m-p/214921#M23750 <P>Splunk isn't finding a timestamp that matches the specified criteria so it's using current time. Making the following changes should fix it.</P> <P>The TIMESTAMP_FIELDS value is "date", but there is no such field in the event. Perhaps it should be "alertdate".<BR /> The TIME_FORMAT value looks like it doesn't match the data in the alertdate field. Try <CODE>TIME_FORMAT = %a %b %d %H:%M:%S %Y</CODE>.</P> Tue, 29 Sep 2020 07:49:25 GMT https://community.splunk.com/t5/Deployment-Architecture/time-indexing-not-correct/m-p/214921#M23750 richgalloway 2020-09-29T07:49:25Z