topic Re: Problem with dates in Splunk Search

Problem with dates

jjcorral — Tue, 08 May 2012 14:27:47 GMT

Hi.

I'm doing searches on the indexed events of the last minutes or hours, and I get no results.
I see that the problem is that Splunk is generating events in 2011, when today's events.
Where does this by taking that date? How I can make it work?
I attached a picture to see the failure.

Thanks in advance.
Kindest regards.

Re: Problem with dates

kristian_kolb — Tue, 08 May 2012 16:39:49 GMT

Well, the problem is that it seems like Splunk mismatches the date portion by one position, i.e. your log has the format mm/dd/yy , but Splunk parses this wrong (uses the month for day and the year for month (if you have a en-US locale, hard to tell from the numbers))

Does this happen for all logs indexed by Splunk?
What is your system clock set to on the indexer? 2011?
What are the values for timestartpos and timeendpos for this particular event (you'll find them in the 'show all fields')?

You might have to specify this manually in props.conf, though I've never had to do that ever for winevt-logs.

[WinEventLog:Security]
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD = 20

Hope this helps,

Kristian

Re: Problem with dates

jjcorral — Mon, 28 Sep 2020 11:47:31 GMT

Thanks four your answer.

I have and European date. dd/mm/yy

If the data comes from WinEventLog:Security fails, if comes from windows_snare_syslog it´s ok.

No, the clock on the indexer are sntp sync.

I have no timestartpos and timeendpos, my Splunk version is old. The 3.8.4, but i can´t migrate it.

Exactly it take thet date bad, today is (in european format) 09/05/2012 und splunk gets 09/12/11

Re: Problem with dates

kristian_kolb — Wed, 09 May 2012 19:05:44 GMT

Oooh that is OLD. Sorry, I cant remember all that happened since then.

Did you try the props.conf settings?