https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60269#M14851 <P>Check to make sure that there isn't another rule overriding <CODE>TIME_FORMAT</CODE> or other timestamping options. If you have conflicting entries in props.conf, configuration settings applied to <CODE>[host::myhost]</CODE> or <CODE>'[source::mysource]</CODE> will take precedence over those applied to the sourcetype.</P> <P>If that isn't the problem, then more information is always helpful, such as:</P> <P><LI>How are you bringing the syslog data in? (Looks like syslog-ng?)</LI></P> <P><LI>How is the input configured in inputs.conf?</LI></P> Thu, 30 Sep 2010 06:06:59 GMT southeringtonp 2010-09-30T06:06:59Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60267#M14849 <P>We seem to be having an issue with the postfix_syslog sourcetype (that came as a default sourcetype in Splunk) and its date extractions. </P> <P>I posted this at 8:20am on 9/29, and did a search of events that take place between 15:00 and 23:59 on 9/29 and come back with the following results.</P> <P>As you can see, the date_hour is set up as 18 on one of these events, which translates to 6pm, but the original event actually took place at 5am.</P> <P>I am not overriding any of the default postfix_syslog stuff, and these events are getting sourcetyped properly, as shown below.</P> <PRE><CODE>[postfix_syslog] TIME_FORMAT = %b %d %H:%M:%S </CODE></PRE> <P>According to the docs, %H is the 24 hour time, even though Splunk seems to believe it is not.</P> <P>Any help is appreciated. Thanks,</P> <P>--adam (EDIT) This is Splunk 4.1.4, data is coming in with syslog-ng. <IMG src="http://img844.imageshack.us/img844/8767/postfixsyslogincorrectt.jpg" alt="alt text" /></P> Wed, 29 Sep 2010 19:22:44 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60267#M14849 adamw 2010-09-29T19:22:44Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60268#M14850 <P>That's very weird. Some additional details may help. Please "edit" your post and provide: The version of splunk you are running. Have you ever made any changes to datetime.xml? Does the syslog host contain any digits it or is it an IP address?</P> Thu, 30 Sep 2010 05:35:29 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60268#M14850 Lowell 2010-09-30T05:35:29Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60269#M14851 <P>Check to make sure that there isn't another rule overriding <CODE>TIME_FORMAT</CODE> or other timestamping options. If you have conflicting entries in props.conf, configuration settings applied to <CODE>[host::myhost]</CODE> or <CODE>'[source::mysource]</CODE> will take precedence over those applied to the sourcetype.</P> <P>If that isn't the problem, then more information is always helpful, such as:</P> <P><LI>How are you bringing the syslog data in? (Looks like syslog-ng?)</LI></P> <P><LI>How is the input configured in inputs.conf?</LI></P> Thu, 30 Sep 2010 06:06:59 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60269#M14851 southeringtonp 2010-09-30T06:06:59Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60270#M14852 <P>Seems likely that you have some conflicting configuration. Splunk does not appear to be looking at your event timestamps at all, but using CURRENT or the file modification time. This may be because of changes or redefinitions of DATETIME_CONFIG or the file it points to. Probably using <CODE>btool</CODE> <A href="http://www.splunk.com/base/Documentation/4.1.5/Admin/Troubleshootingconfigurations" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.5/Admin/Troubleshootingconfigurations</A> may help show if this is so, of if there are other configurations conflicting (e.g., both <CODE>source::</CODE> and <CODE>host::</CODE> configurations will override sourcetype props.conf configurations.)</P> Thu, 30 Sep 2010 11:25:12 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60270#M14852 gkanapathy 2010-09-30T11:25:12Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60271#M14853 <P>One more possibly helpful resource:</P> <UL> <LI><A href="http://answers.splunk.com/questions/4075/whats-the-best-way-to-track-down-props-conf-problems/4080" rel="nofollow">What’s the best way to track down props.conf problems?</A></LI> </UL> Thu, 30 Sep 2010 20:55:40 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60271#M14853 Lowell 2010-09-30T20:55:40Z https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60272#M14854 <P>I agree, a rogue <CODE>DATETIME_CONFIG = CURRENT</CODE> entry does seem to be the most logical explication for what's going on here.</P> Thu, 30 Sep 2010 21:09:16 GMT https://community.splunk.com/t5/Splunk-Search/postfix-syslog-time-extraction-inaccuracies/m-p/60272#M14854 Lowell 2010-09-30T21:09:16Z