topic Re: Why Am I Seeing Events In The Future And How Do I Stop It in Splunk Search

Why Am I Seeing Events In The Future And How Do I Stop It

OgoNARA — Fri, 11 Oct 2024 12:53:18 GMT

Hi Guys,

I hope someone can help me out or give me a pointer here. When I run my searches I always get events in the future. I usually fix the time picker so it stops it but afterwards, I have to place the events in order and it's just adding a step for every search I make. Is there a way I can implement some type of SPL to make sure that I only get dates in the current time instead of the future?

Re: Why Am I Seeing Events In The Future And How Do I Stop It

gcusello — Fri, 11 Oct 2024 13:06:15 GMT

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

Re: Why Am I Seeing Events In The Future And How Do I Stop It

ITWhisperer — Fri, 11 Oct 2024 13:09:01 GMT

Could this just be from different timezones and/or UTC?

Can you provide examples of raw events, their _time timestamp (as set when they were indexed) and their _indextime to see if that's where the difference is coming from?

Re: Why Am I Seeing Events In The Future And How Do I Stop It

gcusello — Fri, 11 Oct 2024 13:42:02 GMT

Hi @OgoNARA ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: Why Am I Seeing Events In The Future And How Do I Stop It

computermathguy — Tue, 11 Mar 2025 15:33:48 GMT

One of our timecharts showed "future" time (by one hour) on the x-axis. Turns out the server time was off by one hour.