All Apps and Add-ons

Indexed with 1 year late

jrodriguezap
Communicator

Hello
I wonder if anyone would have happened.
I have a DB of the "main" where indexed logs of 4 teams. And one of them has problems with indexing date.
At this point I figure it is 1 year late
1/31/13 11:09:42.000 PM

To which may be due?

0 Karma

linu1988
Champion

Hello,
It is possible splunk is confused with the event's timestamp data.

Feb  1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]

out of which splunk is be taking

09:32:28 192.168.1.13 Feb 01

this part as the time stamp for the event, You can test a bit by changing inside the log itself from 192.168.1.13 to 192.168.1.14. Correct way would be to change your configuration in prop.conf to mention the time of event arrival or recognize the intended timestamp in actual events. As the 1st part of the time doesn't have a year i have taken the second half.

Feb 01 2014 09:32:51

props.conf

NO_BINARY_CHECK=1
TIME_FORMAT=%b %d %Y  %H:%M:%S
TIME_PREFIX=\.\d+\s

Thanks

jrodriguezap
Communicator

Hi lukejadamec, the result of that search is as follows

Feb 1 10:14:38 192.168.1.13 Feb 01 2014 10:27:01: %ASA-6-302014: Teardown TCP connection 104897871 for OUTSIDE:190.12.82.197/80 to INSIDE:192.168.1.64/29684 duration 0:00:30 bytes 0 SYN Timeou
0 Karma

lukejadamec
Super Champion

The firewall log sourcetype looks for timestamp host. Your event shows partialTimestamp host timestamp.
Can you double check the event content by reviewing the _raw data?
search |table _raw

0 Karma

jrodriguezap
Communicator

Hi linu. This is a log received from that computer, you can see that the firewall log sending is the date

Feb  1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]

But the Time field shows the splunk

2/1/13 
9:32:28.000 AM
0 Karma

linu1988
Champion

If some log is having the time mentioned above it will be automatically assigned to the event time stamp. What does the event contain? Could you elaborate more?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>