https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201128#M39751 <P>Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012. </P> <P>2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2</P> Mon, 31 Aug 2015 06:51:22 GMT kpsajin 2015-08-31T06:51:22Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201126#M39749 <P>Hi,</P> <P>We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp. </P> <P>For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015. </P> <P>I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution? </P> Sun, 30 Aug 2015 10:05:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201126#M39749 kpsajin 2015-08-30T10:05:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201127#M39750 <P>For your UF using syslog, the timestamping will be done by the Indexer so if you would like to use <CODE>DATETIME_CONFIG=CURRENT</CODE> (which I would advise against; I would always use the timestamp inside the events), then you would put this in <CODE>props.conf</CODE> on your Indexers and restart the Splunk instances on each one and then look for events that come in <EM>after</EM> that time to see if these now are timestamped correctly.</P> Sun, 30 Aug 2015 14:12:59 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201127#M39750 woodcock 2015-08-30T14:12:59Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201128#M39751 <P>Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012. </P> <P>2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2</P> Mon, 31 Aug 2015 06:51:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-detecting-the-wrong-timestamp-for-SUSE-Linux/m-p/201128#M39751 kpsajin 2015-08-31T06:51:22Z