https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450529#M78192 <P>So all events are showing timestamps a certain amount of hours behind/ahead?</P> Wed, 18 Jul 2018 14:02:37 GMT somesoni2 2018-07-18T14:02:37Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450527#M78190 <P>I have an index whose data is being fetched from UDP port. Index is experiencing latency [lag in events] and we suspect timestamp issues with index. How can this be debugged further.</P> Wed, 18 Jul 2018 11:50:35 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450527#M78190 JuhiSaxena 2018-07-18T11:50:35Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450528#M78191 <P>any clue in splunkd.log?<BR /> <CODE>index = _internal sourcetype=splunkd ... other text like your sourcetype or udp port number</CODE></P> Wed, 18 Jul 2018 13:38:12 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450528#M78191 adonio 2018-07-18T13:38:12Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450529#M78192 <P>So all events are showing timestamps a certain amount of hours behind/ahead?</P> Wed, 18 Jul 2018 14:02:37 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450529#M78192 somesoni2 2018-07-18T14:02:37Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450530#M78193 <P>I am getting some Date Parse warnings.</P> <P>WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Jul 18 07:00:14 2018)</P> Wed, 18 Jul 2018 14:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450530#M78193 JuhiSaxena 2018-07-18T14:14:05Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450531#M78194 <P>please show us some sample data and your props.conf for parsing timestamp</P> Wed, 18 Jul 2018 14:22:42 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450531#M78194 adonio 2018-07-18T14:22:42Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450532#M78195 <P>Data like :<BR /> <EM>hostname: NB-9-126-2<BR /><BR /> level: INFO<BR /><BR /> monitoring: WrkSet: 73M<BR /> PeakWrkSet: 74M<BR /> PrivMemSize: 80M<BR /> VirtMemSize: 487M<BR /> HndleCnt: 649<BR /> ThrdCnt: 30<BR /><BR /> msg: null<BR /><BR /> ts: 2018-07-18T14:27:25.1923380Z</EM></P> <P>props.cfg-<BR /> <EM>KV_MODE = none<BR /> TRUNCATE = 0<BR /> SHOULD_LINEMERGE = false<BR /> TIME_PREFIX = "ts":"<BR /> MAX_TIMESTAMP_LOOKAHEAD = 2048<BR /> MAX_EVENTS = 1</EM></P> Tue, 29 Sep 2020 20:30:47 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450532#M78195 JuhiSaxena 2020-09-29T20:30:47Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450533#M78196 <P>there is lag in data indexing [behind].</P> Wed, 18 Jul 2018 14:34:31 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450533#M78196 JuhiSaxena 2018-07-18T14:34:31Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450534#M78197 <P>Try running something like this and share result.</P> <PRE><CODE>index=yourindex sourcetype=yoursourcetype | eval lag=abs(_time-_indextime) | stats avg(lag) max(lag) min(lag) </CODE></PRE> <P>If there is an issue in timestamp parsing, especially the Timezone, then all three columns should be very close in value. </P> <P>Is your data in json format? (with values in double quotes)?</P> Wed, 18 Jul 2018 14:56:28 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450534#M78197 somesoni2 2018-07-18T14:56:28Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450535#M78198 <P>yes Json</P> <P>avg(lag) : 53.383068783068786<BR /> max(lag): 143<BR /> min(lag):0</P> Wed, 18 Jul 2018 15:05:05 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450535#M78198 JuhiSaxena 2018-07-18T15:05:05Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450536#M78199 <P>so per above stats, the lags are less that 3 mins, which are acceptable to many. Do you expect those to be even lesser?</P> <P>Per above stats also, there doesn't seem to be timezone issue. I would still recommend using following for your props.conf</P> <PRE><CODE>[yourSourceTypeHere] KV_MODE = none TRUNCATE = 0 SHOULD_LINEMERGE = false TIME_PREFIX = \"ts\"\:\" MAX_TIMESTAMP_LOOKAHEAD = 28 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z MAX_EVENTS = 1 </CODE></PRE> Wed, 18 Jul 2018 15:11:55 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450536#M78199 somesoni2 2018-07-18T15:11:55Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450537#M78200 <P>If I check for 24hrs, lag has reached to even 30minutes as well.</P> <P>avg(lag) :872.6742391843478 <BR /> max(lag) :1815.000000<BR /> min(lag) : 0</P> <P>Moreover, If its not a timeZone issue, what else could be the reason, is it timestamp parsing issue only?</P> Wed, 18 Jul 2018 15:21:14 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450537#M78200 JuhiSaxena 2018-07-18T15:21:14Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450538#M78201 <P>It could be. How about you use the props.conf which I provided, which should parse the timestamp correctly (based on our sample data). Monitor for few hours and see if the lag has reduced or not.</P> <P>Also check if you see any blocked queues on your indexer/heavy forwarder which might be adding delay in indexing. <BR /> <A href="https://answers.splunk.com/answers/168882/how-to-troubleshoot-blocked-queues-that-are-preven.html">https://answers.splunk.com/answers/168882/how-to-troubleshoot-blocked-queues-that-are-preven.html</A></P> Wed, 18 Jul 2018 15:43:08 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450538#M78201 somesoni2 2018-07-18T15:43:08Z https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450539#M78202 <P>Doesn't looks to be a case of blocked queues. We'll try altering props.cfg as you suggested.</P> <P>Thanks</P> Wed, 18 Jul 2018 15:53:40 GMT https://community.splunk.com/t5/Getting-Data-In/Debug-timestamp-issue-for-data-coming-from-UDP-port-in-Cloud/m-p/450539#M78202 JuhiSaxena 2018-07-18T15:53:40Z