topic Re: _time is wrong in Getting Data In

_time is wrong

sarit_s — Fri, 31 Jan 2020 10:39:24 GMT

Hello

i'm creating a sample of some poc so i added data manually from the "add data" option.
when reviewing the time format from the "add data" option i see everything extracting perfectly but when searching in splunk the time in "_time" is the time that i added the data.

for example:

02/02/2020
11:19:20.000    
44.204.160.84 - - [02/Feb/2020:23:55:40 +0200] "POST /posts/posts/explore HTTP/1.0"

so you can see that the date is correct but the time is not the same as in the event

update
i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000
138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000
217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

how can i fix it ?

thanks

Re: _time is wrong

p_gurav — Fri, 31 Jan 2020 10:43:19 GMT

Did you set any default timezone for your user? Also, check the system timezone.

Re: _time is wrong

skalliger — Fri, 31 Jan 2020 10:45:58 GMT

Please show us your props.conf stanza with the according settings and maybe give us more than one sample event.

Skalli

Re: _time is wrong

sarit_s — Fri, 31 Jan 2020 11:08:22 GMT

yes, user's timezone set to Asia\Jerusalem

Re: _time is wrong

sarit_s — Fri, 31 Jan 2020 11:09:21 GMT

[access_combined]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = 
disabled = false
TZ = UTC


02/02/2020
13:05:47.000    
25.90.196.46 - - [02/Feb/2020:23:58:19 +0200] "GET /explore HTTP/1.0"

Re: _time is wrong

p_gurav — Fri, 31 Jan 2020 11:27:25 GMT

ok. and what is the indexer's timezone? Also, In props.conf put TZ= Asia/Jerusalem.

Re: _time is wrong

sarit_s — Fri, 31 Jan 2020 11:46:09 GMT

the indexer TZ is also Asia/Jerusalem
also, i changed it in props but it is not helping

i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000

138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000

217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

Re: _time is wrong

to4kawa — Fri, 31 Jan 2020 12:28:52 GMT

TZ = UTC ? log is +0200.
please set TIME_FORMAT

Re: _time is wrong

richgalloway — Fri, 31 Jan 2020 13:47:46 GMT

Add TIME_FORMAT = %d/%b/%Y:%H:%M:%S %Z and change the TIME_PREFIX value to \[.

Re: _time is wrong

sarit_s — Fri, 31 Jan 2020 19:00:25 GMT

it is not working.. now even the date is wrong :

02/02/2020
20:53:37.000    
146.145.47.30 - - [06/Feb/2020:20:34:28 +0200] "PUT /list HTTP/1.0"

also i noticed something strange :
this is the msg i got after the search completed :

5,000 events (before 31/01/2020 20:57:34.000)
but the results i got is from 2\2\2020 which is future date...