Hello
I wonder if anyone would have happened.
I have a DB of the "main" where indexed logs of 4 teams. And one of them has problems with indexing date.
At this point I figure it is 1 year late
1/31/13 11:09:42.000 PM
To which may be due?
Hello,
It is possible splunk is confused with the event's timestamp data.
Feb 1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]
out of which splunk is be taking
09:32:28 192.168.1.13 Feb 01
this part as the time stamp for the event, You can test a bit by changing inside the log itself from 192.168.1.13 to 192.168.1.14. Correct way would be to change your configuration in prop.conf to mention the time of event arrival or recognize the intended timestamp in actual events. As the 1st part of the time doesn't have a year i have taken the second half.
Feb 01 2014 09:32:51
props.conf
NO_BINARY_CHECK=1
TIME_FORMAT=%b %d %Y %H:%M:%S
TIME_PREFIX=\.\d+\s
Thanks
Hi lukejadamec, the result of that search is as follows
Feb 1 10:14:38 192.168.1.13 Feb 01 2014 10:27:01: %ASA-6-302014: Teardown TCP connection 104897871 for OUTSIDE:190.12.82.197/80 to INSIDE:192.168.1.64/29684 duration 0:00:30 bytes 0 SYN Timeou
The firewall log sourcetype looks for timestamp host
. Your event shows partialTimestamp host timestamp
.
Can you double check the event content by reviewing the _raw
data?
search |table _raw
Hi linu. This is a log received from that computer, you can see that the firewall log sending is the date
Feb 1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]
But the Time field shows the splunk
2/1/13
9:32:28.000 AM
If some log is having the time mentioned above it will be automatically assigned to the event time stamp. What does the event contain? Could you elaborate more?