Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Forwarder - timestamp switched!!!

verbal_666
Builder
‎11-05-2019 02:03 AM

Splunk Forwarder 7.0.2 (Windows 64 bit)
Splunk Enterprise 7.0.0 (Linux)

The strange problem:
until 31/10, Europe TZ, logs are correctly indexed with this format (no Indexer props configured, set by default)

[31/10/2019 23:59:55] [URL] [HTTP_RC]

From 1/11, Splunk starts switching %m & %d in USA_TZ, so

[01/11/2019 00:00:00] [URL] [HTTP_RC]

become with timestamp (Europe) == 11/01/2019 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And also today, i have 11/05/2019, but logs are

[05/11/2019 00:00:00] [URL] [HTTP_RC]

Why??????????????????? I know i should force the props in Indexers, such as,

CHARSET = UTF-8
TIME_FORMAT = %d/%m/%Y %T
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true

But why until 31/10 i have NO DATE PARSING problem at all?

Suggestions? Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 02:14 AM

Hi verbal_666,
Splunk by default use the american date format mm/dd/yyyy, so if you want to use an european format you have to forma time format in props.conf.
so in sourcetype stanza of props.conf on Indexers you have to insert:

[my_sourcetype]
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMEPREFIX = ^\[
....

For more details see https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf .

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 02:14 AM

Hi verbal_666,
Splunk by default use the american date format mm/dd/yyyy, so if you want to use an european format you have to forma time format in props.conf.
so in sourcetype stanza of props.conf on Indexers you have to insert:

[my_sourcetype]
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMEPREFIX = ^\[
....

For more details see https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf .

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎11-05-2019 03:16 AM

Thanks.
As i wrote in main post, i'll (eventually) write the correct props in Indexer(s) asap.

The question now is: why i have many others logs, from other forwarders, logging like

2019/05/11

without their sourcetype stanza in props, and are still logging Europe since 01/11?

Also, on same host, same forwarder, others logs are logged randomly 05/11 and 11/05, today.
Example, 3 events are 05/11, other 3 are 11/05! Strange behaviour.....

Thanks, anyway.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 03:55 AM

Hi verbal_666,
Because the problem there's only when there could be a mistake between american and european date format, if you have yyyy-mm-dd as date format there isn't any mistake.
The problem is born because Splunk is american and Europe has a different date format.
For this reason it's always a best practice to format date in props.conf when there could be this mistake.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎11-05-2019 04:19 AM

Anyway, yes, this props did it,

TIME_FORMAT=[%d/%m/%Y %T]
SHOULD_LINEMERGE=false
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 05:24 AM

Yes sorry, it's correct

TIME_FORMAT = %d/%m/%Y %H:%M:%S

otherwise it's unnecessary.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎11-05-2019 06:25 AM

Thanks again.

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎11-05-2019 04:11 AM

Ok, thanks.

Is right the 

TIME_FORMAT = %m/%d/%Y %H:%M:%S

you wrote up?

Shouldn't be

TIME_FORMAT = %d/%m/%Y %H:%M:%S

?

date +'%d/%m/%Y %H:%M:%S'
05/11/2019 13:10:24

Right?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...