Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events has wrong timestamp, How to correct time config?

iamsplunker
Communicator
‎06-27-2022 02:34 PM

Hello Splunkers, 

I've an issue with my event time configuration. It has incorrect timestamp. Below are my props settings..it doesn't seem to be working. Please Advise

TIME_FORMAT = %Y-%m-%d %H:%M:%S

TIME_PREFIX = ^

TZ = UTC-4

MAX_TIMESTAMP_LOOKAHEAD = 20 

 

Sample log format

Time                                                                      Event
6/27/21 8:30:56.000 PM                #Software: banana Internet Information Services 19.0
                                                                   #Version: 10.0
                                                                   #Date: 2021-06-27 20:32:46
                                                                   #Fields: Sacramento is the capital of California


6/27/21 8:30:56.000 PM                 #Software: pineapple Internet Information Services 39.0
                                                                    #Version: 12.0
                                                                    #Date: 2021-06-27 20:32:46
                                                                    #Fields: Austin is the capital of Texas

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2022 11:37 PM

Hi @iamsplunker,

as @jamie00171 said, the TIME_PREFIX is wrong, please try this:

TIME_PREFIX = \#Date:\s+

Ciao.

Giuseppe

0 Karma
Reply

iamsplunker
Communicator
‎06-29-2022 08:24 AM

@gcusello@jamie00171 Thanks. Looks like I've different events. For ex: Some events starts with 

2021-06-27 19:20:40  .....   and few events starts with 

                                                                    #Software: pineapple Internet Information Services 39.0
                                                                    #Version: 12.0
                                                                    #Date: 2021-06-27 20:32:46
                                                                    #Fields: Austin is the capital of Texas

 

does this TIME_PREFIX work ?

 

TIME_PREFIX = ^|\#Date:\s+

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-29-2022 08:35 AM

Hi @iamsplunker,

if you have different formats, maybe you have different logs with same sourcetype, so the best approach is to clearly identify sourcetype for each type of events and use the correct sourcetype to each data flow.

Anyway, please try this (I'm not sure that works!)

TIME_PREFIX = ^|(.*\#Date:\s+)

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 09:11 AM

If this didn’t work you could use INGEST_EVAL on transforms.conf. 1st try to pick _time as normal way and if it didn’t succeed then use INGEST_EVAL. You could found some examples from answers like https://community.splunk.com/t5/Getting-Data-In/Index-time-extraction-and-non-indexed-field/m-p/5777...

r. Ismo

0 Karma
Reply

jamie00171
Communicator
‎06-27-2022 02:53 PM

Hi @iamsplunker 

If you set TIME_PREFIX to ^ - I assume that means you are asking Splunk to look at the start of the event for the timestamp, however that doesn't seem to be where it is located, try changing the prefix to Date: and increasing the look ahead slightly.

Thanks, 

Jamie

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...