topic Re: SA-ldapsearch TA timestamp issue in Getting Data In

SA-ldapsearch TA timestamp issue

tech_g706 — Mon, 09 Jun 2025 11:54:37 GMT

Hi,

I am experiencing issue with SA-ldapsearch TA.
I am using this search to validate the timestamp

index = <index name>
| eval bucket=_bkt
| eval diff = _indextime - _time
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")
| table indextime capturetime diff _raw

I can see that, the indextime = 2025-06-08 05:00:20 but capturetime = 2020-01-13 10:00:01

Splunk is ingesting the latest ldap events but _time field is having timestamps of 2020.

In the raw event, there are multiple timestamps available:

"whenCreated":"2018-06-05 10:43:19+00:00
"whenChanged":"2024-02-11 13:52:37+00:00
"pwdLastSet":"2019-07-24T06:41:44.698530Z
"lastLogonTimestamp":"2019-07-24T06:41:44.282975Z

but I am not able to understand how the TA is extracting the 2020 timestamp from the raw as there is no such timestamp in the raw event.

Re: SA-ldapsearch TA timestamp issue

richgalloway — Mon, 09 Jun 2025 12:50:15 GMT

What do you expect/want to see for capturetime? None of the timestamps in the event seem appropriate and all of them will either throw a warning or cause a quarantine bucket to be created.

Please share the props.conf settings for that sourcetype.

Re: SA-ldapsearch TA timestamp issue

livehybrid — Mon, 09 Jun 2025 13:31:00 GMT

Hi @tech_g706

If there are no fields in the event that you want to use as the _time field when it is ingested then I would recommend forcing the _time to be the ingestion time using the following props.conf update:

[yourSourcetype] # Your other props here # Set _time to current time DATETIME_CONFIG = CURRENT

If you want one of the fields in the event to be _time then please share the full raw event and details of the field which should be _time.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: SA-ldapsearch TA timestamp issue

tech_g706 — Mon, 09 Jun 2025 13:34:24 GMT

@richgalloway

My understanding is that, if indextime is today so _time should have been the same since there is no delay during ingestion.

Here is the default props.conf that comes with the SA-ldapsearch TA: (there is no transform.conf)

[source::.../var/log/splunk/SA-ldapsearch.log]
sourcetype = SA-ldapsearch

[SA-ldapsearch]
EXTRACT-vars = Level=.+, (?<log_source>Pid=.+, File=.+, Line=.+), (?<message>.*)

Re: SA-ldapsearch TA timestamp issue

livehybrid — Mon, 09 Jun 2025 13:37:11 GMT

Not quite, _indextime will always the time its indexed, however _time is usually derived/determined from the data. For some reason Splunk is detecting the incorrect time.

Try updating your props like this:

[source::.../var/log/splunk/SA-ldapsearch.log] sourcetype = SA-ldapsearch DATETIME_CONFIG = CURRENT

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing