Archive

Splunk 4.2.2 - Logs off by several Hours

New Member

Good Morning,

We recently upgraded our Splunk Instance to version 4.2.2, today we noticed that several of our logs are off by a few hours. Currently it is 10:40 AM (CST) time, but when you log-in and look at the search, it's several hours in the future:
alt text

Our environment comprises of:
A. Splunk Indexer -- Version 4.2.2
B. Splunk Forwarders -- Pre 4.2 (Most are on 4.1.x versions)

Any assistance would be greatly appreciated! Thanks!

--Asif Ahmad

Tags (4)
0 Karma

New Member

Well the funny thing, is that it seems to be working in our TEST environment. So I'm trying to figure out what's the difference between TEST and PRODUCTION.

0 Karma

Communicator

I see.

Unfortunately, unless you can find any more specific information about the two environments, I don't believe there is much other help I can give here; Digging through them to find the differences is something you'll have to tackle yourself...

If there are different .conf files for TEST and PRODUCTION, I would still recommend looking at the timezones set for each. Also, which environment did you upgrade to 4.2.2?

0 Karma

Communicator

Splunk might be confused about your timezone; maybe the upgrade messed with your .conf files somehow?

Here's the documentation page on timestamps. It explains how to set up time-related options far better than I could: http://docs.splunk.com/Documentation/Splunk/4.2.3/Data/Configuretimestamprecognition

Hope this helps.

0 Karma