Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

For a subset of hosts _time is the same for every event sent

dozer
Engager
‎03-04-2021 06:09 AM

I have a particular feed with 24 appliances that send their data via rest call over 8089 to a heavy forwarder which is then forwarded to the indexing cluster and indexed. 

For every event for every appliance, _time is correct with the exception of three appliances.

For those three appliances however, regardless of when the events are generated, _time is always 3:55:40.000 AM for appliance one, 3:25:00.000 AM for appliance two, and 3:58:00.000 AM for appliance three. And again, the other 21 appliances that send the exact same way are not having this issue.

My original thought was that it was a config issue with those three appliances. But the team that manages them confirmed they were all configured the same.

I have not been able to find any clues on the splunk side as to why this may be happening. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dozer
Engager
‎04-20-2021 09:18 AM

Adding DATETIME_CONFIG = CURRENT to props ended up correcting it for those three. Still was not able to determine what config was actually responsible for causing the issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2021 07:19 AM

I agree it sounds like a configuration problem, but rather than look at the appliance configs, I'd look at the Splunk configs.

How are the three different from the other 21 in their Splunk configurations?  Do they use different sourcetypes?  If so, compare the props.conf settings.  I suspect some large number in the data is being mis-interpreted as a timestamp.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

dozer
Engager
‎04-20-2021 09:18 AM

Adding DATETIME_CONFIG = CURRENT to props ended up correcting it for those three. Still was not able to determine what config was actually responsible for causing the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...