Splunk_TA_Windows - script:installedapps timestamp issues?

daniel333 — Mon, 16 Nov 2020 23:29:02 GMT

All,

Thought I posted this before, but can't find it in my history.

I am seeing alerts in my Splunk logs statin that the I am getting data from the future on my sourcetype script:installedapps. It's default and unmodified from the Splunk_TA_Window standard.

From there I did notice that _indextime and _time were off a bit.

When I look at props.conf provided by Splunk_TA_Windows it has no time stamp recognition. Is there a reason for this? Should I go ahead and add it or is there a trick for this I am missing?

thanks

-Daniel

Re: Splunk_TA_Windows - script:installedapps timestamp issues?

daniel333 — Tue, 17 Nov 2020 00:03:34 GMT

So I went ahead and created a basic props.conf per my undertanding of best practice.

My latency between time and indexed time was about -80second on this sourcetype. After adding the below props.conf to a local override I am now getting closer to 10 seconds.

Didn't think props.conf would so dramatically impact a single sourcetype like that, but I guess it could? Either way no longer getting the data from the future error either.

# props.conf

	[Script:InstalledApps]
	pulldown_type = true
	category = Windows
	description = List Installed Apps
	### Index time
	# Input queue - event_breaker processed at the UF as well as IDX
	EVENT_BREAKER_ENABLE = true
	EVENT_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3}
	NO_BINARY_CHECK = True
	CHARSET = UTF-8

	DATETIME_CONFIG=
	TIME_PREFIX= ^
	MAX_TIMESTAMP_LOOKAHEAD= 24
	TIME_FORMAT= %Y-%m-%d %H:%M:%S.%3Q
	MAX_DAYS_AGO = 1
	MAX_DAYS_HENCE = 2

	# Typing queue
	ANNOTATE_PUNCT = False

	# Indexing queue
	SEGMENTATION = indexing

	# Search time
	EVAL-data_classification = "Proprietary"

topic Splunk_TA_Windows - script:installedapps timestamp issues? in Getting Data In

Splunk_TA_Windows - script:installedapps timestamp issues?

Re: Splunk_TA_Windows - script:installedapps timestamp issues?