https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608209#M105543 <P>This may help you.</P><P><A href="https://www.youtube.com/watch?v=Q5EWCT79nZ4" target="_blank">https://www.youtube.com/watch?v=Q5EWCT79nZ4</A></P> Thu, 04 Aug 2022 03:39:55 GMT chaker 2022-08-04T03:39:55Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608198#M105541 <P>hi,</P> <P>Please check with below screenshot</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Atchyuth_P_1-1659577705527.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20844i0DDB33590148BCFD/image-size/medium?v=v2&amp;px=400" role="button" title="Atchyuth_P_1-1659577705527.png" alt="Atchyuth_P_1-1659577705527.png" /></span></P> <P>The indexed time and event log time both are different. Kindly let me know the solution to fix this error.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Aug 2022 14:35:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608198#M105541 Atchyuth_P 2022-08-04T14:35:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608207#M105542 <P>Hello,</P><P>You will need to provide timestamp extraction settings to correctly identify that time stamp, if none of the pre trained source types are picking it up.</P><P>I suggest you try to add that data using different sourcetypes in the data preview tool, to see which on extracts your time stamp, then use that setting in your own sourcetype settings.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/HowSplunkextractstimestamps" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/HowSplunkextractstimestamps</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#Timestamp_extraction_configuration" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#Timestamp_extraction_configuration</A></P> Thu, 04 Aug 2022 03:36:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608207#M105542 chaker 2022-08-04T03:36:39Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608209#M105543 <P>This may help you.</P><P><A href="https://www.youtube.com/watch?v=Q5EWCT79nZ4" target="_blank">https://www.youtube.com/watch?v=Q5EWCT79nZ4</A></P> Thu, 04 Aug 2022 03:39:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608209#M105543 chaker 2022-08-04T03:39:55Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608218#M105544 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237468">@Atchyuth_P</a>,</P><P>this means thet there's a parsing error.</P><P>Could your share a sample of your logs to find the correct configuration?</P><P>Ciao.</P><P>Giuseppe</P> Thu, 04 Aug 2022 06:43:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608218#M105544 gcusello 2022-08-04T06:43:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608372#M105564 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Please check the below screenshot for reference.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Atchyuth_P_0-1659666952599.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20869i4759861AA3EAE1BE/image-size/medium?v=v2&amp;px=400" role="button" title="Atchyuth_P_0-1659666952599.png" alt="Atchyuth_P_0-1659666952599.png" /></span></P><P>I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Atchyuth_P_1-1659667143760.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20870i5647913F71A18685/image-size/medium?v=v2&amp;px=400" role="button" title="Atchyuth_P_1-1659667143760.png" alt="Atchyuth_P_1-1659667143760.png" /></span></P><P>I have tried with the TZ setting but was unable to solve it.</P><P>Please help</P><P>&nbsp;</P> Fri, 05 Aug 2022 02:40:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608372#M105564 Atchyuth_P 2022-08-05T02:40:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608378#M105565 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165039">@chaker</a>&nbsp;</P><P>&nbsp;</P><P>Thank you so much. I have learned a lot about Splunk while watching your videos and those helped me to shift my career transition.</P><P>Please check the below screenshot for reference.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Atchyuth_P_1-1659667441524.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20872iFB8F0EDBDE118042/image-size/medium?v=v2&amp;px=400" role="button" title="Atchyuth_P_1-1659667441524.png" alt="Atchyuth_P_1-1659667441524.png" /></span></P><P><SPAN>I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Atchyuth_P_2-1659667567922.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20873i1B32386574ACA0E4/image-size/medium?v=v2&amp;px=400" role="button" title="Atchyuth_P_2-1659667567922.png" alt="Atchyuth_P_2-1659667567922.png" /></span></P><P>I have tried with the TZ setting but was unable to solve it.</P><P>Please help</P><P>&nbsp;</P> Fri, 05 Aug 2022 02:46:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608378#M105565 Atchyuth_P 2022-08-05T02:46:57Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608400#M105567 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237468">@Atchyuth_P</a>,</P><P>please share your logs as text in the "Insert/Edit Code Sample" otherwise I cannot use them.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Aug 2022 07:56:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608400#M105567 gcusello 2022-08-05T07:56:02Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608466#M105569 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237468">@Atchyuth_P</a>,</P><P>anyway, please try in your props.conf:</P><LI-CODE lang="markup">[your_sourcetype] TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[ TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N MAX_TIMESTAMP_LOOKAHEAD = 26</LI-CODE><P>This props.conf must be located on Indexers or (if present) On Heavy Forwarders.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Aug 2022 13:57:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608466#M105569 gcusello 2022-08-05T13:57:38Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608509#M105571 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DSCN0012.jpg" style="width: 640px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20903i6DBDBFC4531C834F/image-size/large?v=v2&amp;px=999" role="button" title="DSCN0012.jpg" alt="DSCN0012.jpg" /></span></P> Fri, 05 Aug 2022 16:07:48 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Event-Log-time-and-Indexed-time-different/m-p/608509#M105571 wapese3400 2022-08-05T16:07:48Z