topic Incorrect Timestamp in Getting Data In

Incorrect Timestamp

damo66a — Thu, 06 May 2021 10:52:07 GMT

hello,

I have some xml files coming in which is working fine, however, despite setting the TIME_FORMAT to %d/%m/%Y %H:%M:%S it is still putting some events into indexes with MM/DD/YYYY.

the time format is set in a props.conf file for my input but it appears to me ignoring it.

I've also noticed that despite me telling it to use a particular source type its making up its own that isnt in my instance. could that be the reason? if so why?

any ideas?

thanks in advance

Re: Incorrect Timestamp

richgalloway — Thu, 06 May 2021 12:59:24 GMT

The wrong sourcetype will prevent Splunk from using any of the settings for the expected sourcetype. Fix that and TIME_FORMAT should work. Share your inputs.conf settings if you need help with the sourcetype setting.

Also, make sure your props.conf file is in the right place (indexer or HF) and the instance was restarted after the file was changed.

Re: Incorrect Timestamp

damo66a — Thu, 06 May 2021 13:04:29 GMT

i think perhaps i may have done this wrong then.

my inputs.conf is as follows:

[fschange:E:\Logs\*] pollPeriod = 60 signedaudit=false fullEvent=true sendEventMaxSize=-1 index = ccure_sitedata sourcetype = ccure_site_journal

looking at sourcetypes in my cloud instance, the above mentioned sourcetype does have a TIME_FORMAT flag set.

as part of the app i have also done a props.conf file but presumably from what you have said, that is incorrect? (im using splunk cloud so presumably i cant edit the props file)

props.conf

TIME_FORMAT = %d/%m/%Y %H:%M:%S

i am fairly new at this so please forgive me for the formatting of these.

Re: Incorrect Timestamp

damo66a — Thu, 06 May 2021 15:19:54 GMT

i have been doing some more testing and structured the inputs.conf file as per splunk docs but the input is completely ignoring the fact that i'm telling it to use a particular source type and as such ignoring the format behind that.

from what i can tell its only marking the first event (or 2) with the required sourcetype and then stating xml as the sourcetype for the rest when there actually isn't a sourcetype named that.

what am i doing wrong? i've followed the documentation

Re: Incorrect Timestamp

richgalloway — Fri, 07 May 2021 14:29:26 GMT

I've never experienced the sourcetype changing midstream like that. Do you have any transforms installed that may be setting the sourcetype based on the data it sees?

Re: Incorrect Timestamp

erika_horton — Fri, 07 May 2021 17:06:09 GMT

I presume you are running this from a UF or HF - do you have access to the forwarder to run a btool?
I would start by doing btool on the input to verify the sourcetype configuration isn't getting clobbered there, then I would also btool the props of the sourcetype to see if the time format is correct.

Directions: https://docs.splunk.com/Documentation/Splunk/8.1.3/Troubleshooting/Usebtooltotroubleshootconfigurations

Re: Incorrect Timestamp

damo66a — Mon, 10 May 2021 08:21:12 GMT

i have tried to use the btool and its not jumping out with any errors or anything. to be fair im not 100% im doing it right.

Re: Incorrect Timestamp

damo66a — Mon, 10 May 2021 08:42:41 GMT

i dont beleive i have any transforms. certainly not any i've put in myself.

I have a props.conf that contains the time format as stated above. other than that, nothing.

Re: Incorrect Timestamp

damo66a — Thu, 13 May 2021 09:03:54 GMT

any ideas anyone?

Re: Incorrect Timestamp

damo66a — Mon, 17 May 2021 13:09:58 GMT

no one?