https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461612#M79648 <P>Greetings,</P> <P>In my environment, I have set up an Universal Forwarder that is monitoring a single server .log file, which is then forwarded to a Splunk indexer instance for parsing etc. as a specific sourcetype(log4j). My Universal Forwarder configuration is as follows: </P> <PRE><CODE>inputs.conf [default] host = 1 [monitor://server.log] sourcetype=log4j index= targetIndex </CODE></PRE> <P>On the indexer, I have noticed several issues, both with timestamp parsing and event breaking. As you can see in the following image, there are events mixed in with local timestamps dating 3 hours ago, but Splunk has assigned the current time for said event. On top of that, Splunk has made a separate event for the Headers: and Payload: entries, which should have been a part of the event below. Note that these events all come from the same host and all have the same sourcetype. <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7573i56C569B95F1481A5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> For additional context, the following image visualizes the format of the .log file as seen on the forwarding instance. Note how there is a slight gap between the second event's Content-Type and Headers fields, which, I believe, is what is causing Splunk to assign it to a separate event.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7574i1F40E04CDAB5705F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here is the props.conf that I currently have set on my indexer instance:</P> <PRE><CODE>[log4j] BREAK_ONLY_BEFORE=\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d.\d\d\d MAX_TIMESTAMP_LOOKAHEAD=23 TZ=Europe/Riga TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3NZ TIME_PREFIX=^ SHOULD_LINEMERGE=true </CODE></PRE> <P>As well as the limits.conf, although, to my understanding, it shouldn't affect the parsing behavior:</P> <PRE><CODE>limits.conf [search] max_rawsize_perchunk = 0 </CODE></PRE> <P>To summarize:</P> <OL> <LI>Splunk is unexpectedly breaking up events;</LI> <LI>There are events dated back exactly 3 hours mixed in with current events;</LI> </OL> <P>Could this be a timezone issue? Both of the instances seem to have the same timezone (EEST), but there seem to be events dated back exactly 3 hours mixed in with current events. What could be the possible cause of this?</P> <P>Thanks in advance!</P> Mon, 26 Aug 2019 13:42:29 GMT sendijsd 2019-08-26T13:42:29Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461612#M79648 <P>Greetings,</P> <P>In my environment, I have set up an Universal Forwarder that is monitoring a single server .log file, which is then forwarded to a Splunk indexer instance for parsing etc. as a specific sourcetype(log4j). My Universal Forwarder configuration is as follows: </P> <PRE><CODE>inputs.conf [default] host = 1 [monitor://server.log] sourcetype=log4j index= targetIndex </CODE></PRE> <P>On the indexer, I have noticed several issues, both with timestamp parsing and event breaking. As you can see in the following image, there are events mixed in with local timestamps dating 3 hours ago, but Splunk has assigned the current time for said event. On top of that, Splunk has made a separate event for the Headers: and Payload: entries, which should have been a part of the event below. Note that these events all come from the same host and all have the same sourcetype. <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7573i56C569B95F1481A5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> For additional context, the following image visualizes the format of the .log file as seen on the forwarding instance. Note how there is a slight gap between the second event's Content-Type and Headers fields, which, I believe, is what is causing Splunk to assign it to a separate event.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7574i1F40E04CDAB5705F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here is the props.conf that I currently have set on my indexer instance:</P> <PRE><CODE>[log4j] BREAK_ONLY_BEFORE=\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d.\d\d\d MAX_TIMESTAMP_LOOKAHEAD=23 TZ=Europe/Riga TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3NZ TIME_PREFIX=^ SHOULD_LINEMERGE=true </CODE></PRE> <P>As well as the limits.conf, although, to my understanding, it shouldn't affect the parsing behavior:</P> <PRE><CODE>limits.conf [search] max_rawsize_perchunk = 0 </CODE></PRE> <P>To summarize:</P> <OL> <LI>Splunk is unexpectedly breaking up events;</LI> <LI>There are events dated back exactly 3 hours mixed in with current events;</LI> </OL> <P>Could this be a timezone issue? Both of the instances seem to have the same timezone (EEST), but there seem to be events dated back exactly 3 hours mixed in with current events. What could be the possible cause of this?</P> <P>Thanks in advance!</P> Mon, 26 Aug 2019 13:42:29 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461612#M79648 sendijsd 2019-08-26T13:42:29Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461613#M79649 <P>It looks to me like the TIME_FORMAT setting does not exactly match the sample data. Try <CODE>TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N</CODE>.</P> Wed, 30 Sep 2020 01:53:53 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461613#M79649 richgalloway 2020-09-30T01:53:53Z https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461614#M79650 <P>Thank you very much, that did it! </P> Mon, 26 Aug 2019 17:19:08 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-unexpected-timestamp-parsing-behavior/m-p/461614#M79650 sendijsd 2019-08-26T17:19:08Z