Deployment Architecture

Splunk Forwarder - timestamp switched!!!

verbal_666
Builder

Splunk Forwarder 7.0.2 (Windows 64 bit)
Splunk Enterprise 7.0.0 (Linux)

The strange problem:
until 31/10, Europe TZ, logs are correctly indexed with this format (no Indexer props configured, set by default)

[31/10/2019 23:59:55] [URL] [HTTP_RC]

From 1/11, Splunk starts switching %m & %d in USA_TZ, so

[01/11/2019 00:00:00] [URL] [HTTP_RC]

become with timestamp (Europe) == 11/01/2019 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And also today, i have 11/05/2019, but logs are

[05/11/2019 00:00:00] [URL] [HTTP_RC]

Why??????????????????? I know i should force the props in Indexers, such as,

CHARSET = UTF-8
TIME_FORMAT = %d/%m/%Y %T
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true

But why until 31/10 i have NO DATE PARSING problem at all?

Suggestions? Thanks.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi verbal_666,
Splunk by default use the american date format mm/dd/yyyy, so if you want to use an european format you have to forma time format in props.conf.
so in sourcetype stanza of props.conf on Indexers you have to insert:

[my_sourcetype]
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMEPREFIX = ^\[
....

For more details see https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf .

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi verbal_666,
Splunk by default use the american date format mm/dd/yyyy, so if you want to use an european format you have to forma time format in props.conf.
so in sourcetype stanza of props.conf on Indexers you have to insert:

[my_sourcetype]
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIMEPREFIX = ^\[
....

For more details see https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Propsconf .

Ciao.
Giuseppe

0 Karma

verbal_666
Builder

Thanks.
As i wrote in main post, i'll (eventually) write the correct props in Indexer(s) asap.

The question now is: why i have many others logs, from other forwarders, logging like

2019/05/11

without their sourcetype stanza in props, and are still logging Europe since 01/11?

Also, on same host, same forwarder, others logs are logged randomly 05/11 and 11/05, today.
Example, 3 events are 05/11, other 3 are 11/05! Strange behaviour.....

Thanks, anyway.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi verbal_666,
Because the problem there's only when there could be a mistake between american and european date format, if you have yyyy-mm-dd as date format there isn't any mistake.
The problem is born because Splunk is american and Europe has a different date format.
For this reason it's always a best practice to format date in props.conf when there could be this mistake.

Ciao.
Giuseppe

0 Karma

verbal_666
Builder

Anyway, yes, this props did it,

TIME_FORMAT=[%d/%m/%Y %T]
SHOULD_LINEMERGE=false
0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes sorry, it's correct

TIME_FORMAT = %d/%m/%Y %H:%M:%S 

otherwise it's unnecessary.

Ciao.
Giuseppe

0 Karma

verbal_666
Builder

Thanks again.

0 Karma

verbal_666
Builder

Ok, thanks.

Is right the

TIME_FORMAT = %m/%d/%Y %H:%M:%S

you wrote up?

Shouldn't be

TIME_FORMAT = %d/%m/%Y %H:%M:%S

?

date +'%d/%m/%Y %H:%M:%S'
05/11/2019 13:10:24

Right?

0 Karma
Get Updates on the Splunk Community!

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...