topic Re: timestamp and itime does not match in Getting Data In https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751688#M119347 <P>Hello,</P><P>FortiWeb is configured with NTP.</P><P>Regards,</P> Fri, 15 Aug 2025 05:01:26 GMT phamanh1652 2025-08-15T05:01:26Z timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751476#M119331 <P>We’re using Splunk Cloud and have configured SC4S to collect logs from FortiAnalyzer, which receives logs from both FortiGate and FortiWeb devices. Most events are processed correctly, with the<SPAN>&nbsp;</SPAN>timestamp<SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN>itime<SPAN>&nbsp;</SPAN>fields matching. However, we’ve noticed that for some events from FortiWeb, the<SPAN>&nbsp;</SPAN>timestamp<SPAN>&nbsp;</SPAN>is ahead of the<SPAN>&nbsp;</SPAN>itime<SPAN>&nbsp;</SPAN>by approximately 14–15 minutes. Based on our analysis,<SPAN>&nbsp;</SPAN>itime<SPAN>&nbsp;</SPAN>reflects the actual time the event occurred.</P><P>I’ve reviewed the raw logs and confirmed that all related components are configured to use the same time zone. Has anyone else experienced this issue? Any insights or solutions would be greatly appreciated.</P> Wed, 13 Aug 2025 03:54:52 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751476#M119331 phamanh1652 2025-08-13T03:54:52Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751479#M119333 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260527">@phamanh1652</a>&nbsp;</P><P>Can you check system time on fortiweb? Is it configured locally or NTP?</P><P>#<A href="https://docs.fortinet.com/document/fortiweb/7.0.11/administration-guide/780143/setting-the-system-time-date" target="_blank">https://docs.fortinet.com/document/fortiweb/7.0.11/administration-guide/780143/setting-the-system-time-date</A></P><P><BR />Regards,<BR />Prewin<BR />Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Wed, 13 Aug 2025 04:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751479#M119333 PrewinThomas 2025-08-13T04:49:37Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751492#M119335 <P>Such offset (unless you're in a very very unusual time zone) suggests that either:</P><P>1) Time on the source is not set correctly or</P><P>2) There is an ingestion lag and (this is used as conjunction, not consequence) the timestamp is not parsed from the event itself but assigned from the time of ingestion.</P> Wed, 13 Aug 2025 05:50:13 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751492#M119335 PickleRick 2025-08-13T05:50:13Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751688#M119347 <P>Hello,</P><P>FortiWeb is configured with NTP.</P><P>Regards,</P> Fri, 15 Aug 2025 05:01:26 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751688#M119347 phamanh1652 2025-08-15T05:01:26Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751690#M119348 <P>Btw, what do you mean by itime? Index time? How can it be ahead of the actual time?</P> Fri, 15 Aug 2025 06:04:36 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751690#M119348 PickleRick 2025-08-15T06:04:36Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751694#M119349 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phamanh1652_1-1755240709055.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39973iE11799C6A704389F/image-size/medium?v=v2&amp;px=400" role="button" title="phamanh1652_1-1755240709055.png" alt="phamanh1652_1-1755240709055.png" /></span></P><P>This is an event of Fortiweb:</P><P>event time of splunk 11:53:13</P><P>timestamp=1755258793 ==&gt;&nbsp;<SPAN>11:53:13</SPAN></P><P>itime=1755234267 ==&gt;&nbsp;<SPAN>12:04:27 ==&gt; This is the actual time the event occurred.</SPAN></P> Fri, 15 Aug 2025 06:57:09 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751694#M119349 phamanh1652 2025-08-15T06:57:09Z Re: timestamp and itime does not match https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751740#M119352 <P>So it's actually the fortigate solution that is "lagging". If the main timestamp for the event should be the itime one, you need to change your props for that sourcetype to use that timestamp instead of the one at timestamp field</P><P>&nbsp;</P> Fri, 15 Aug 2025 19:10:37 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-and-itime-does-not-match/m-p/751740#M119352 PickleRick 2025-08-15T19:10:37Z