topic Re: Different timestamp recognition for same stanza in Getting Data In

Different timestamp recognition for same stanza

bfernandez — Tue, 27 Nov 2012 22:28:15 GMT

I am gathering perfmon data from two windows servers but Splunk 5.0 no correctly recognize the timestamp in one of them.

[perfmon://LocalPhysicalDisk]
counters = % Free Space;Free Megabytes
interval = 60
object = LogicalDisk
disabled = 0

Wrong timestamp data is generated on a cloud server with a different time that our network although we are both using the default Microsoft ntp server.

Splunk Timestamp Data Timestamp
11/22/12 9:53:49.765 PM 11/22/2012 21:53:49.765 (local sever)
11/22/12 10:05:38.000 PM 11/22/2012 22:06:21.062 (cloud server)

Why Splunk doesn’t simply use the timestamp of the data?

Thanks!!

Re: Different timestamp recognition for same stanza

lguinn2 — Thu, 29 Nov 2012 01:40:33 GMT

Splunk may be trying to consider the timezone of each server. This might be found in the event - or it could be set in props.conf for cloud server.

Re: Different timestamp recognition for same stanza

bfernandez — Thu, 29 Nov 2012 18:55:16 GMT

All the servers have the same TZ, but not the same time, so in this case splunk should use the server's TZ.

I reckon that the problem is other but I will try setting this option in props.conf.

Thanks.

Re: Different timestamp recognition for same stanza

gfuente — Wed, 19 Dec 2012 16:29:33 GMT

Hello Borja

You should set up correctly the time configuration from windows time to syncronize with a central time server

Reagrds

Re: Different timestamp recognition for same stanza

sowings — Wed, 19 Dec 2012 17:03:32 GMT

Do you have DATETIME_CONFIG = CURRENT in your props.conf?

Re: Different timestamp recognition for same stanza

bfernandez — Wed, 19 Dec 2012 17:53:45 GMT

I am using the default value /etc/datetime.xml to recognise the timestamp in data