Re: The events time do not march the time field in...

perlish · ‎06-23-2013

Why the time of a part of the events are different from what the time field show?
And how to set the config to make time of events right?

pembleton · ‎06-23-2013

There are numerous answers to your question, here are some, but you should go and some more for a better understanding:

bad timestamp extraction
no timestamp extraction (splunk takes time from file date, or system time)
different timezone (set for the sourcetype in props.conf, you have changed time settings on the indexer system, timezone set for the user viewing the events )

martin_mueller · ‎06-23-2013

I'm not exactly certain if I understand your question, but it sounds like you might need this: http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

linu1988 · ‎06-23-2013

Splunk doesn't get the event times from the logs.
You have to specify the time format explicitly to get the timing.

In props.conf

TIME_FORMAT= Log_time format e.g. y%:m%:d%
TIME_PREFIX=regex to get the time filed
MAX_TIMESTAMP_LOOKAHEAD= Specify the size of the time fields to look at

These are the most useful field to get it resolved. New index data will show the update but the old data stat as it is.

The events time do not march the time field in events

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!