How do I fix this error: One or more sourcetypes h...

Mohanveera1 · ‎06-01-2022

Hello everyone,

In Splunk GUI when i run health check its showing one error like One or more source types has been found to present events in the future. All the sources are giving the correct timestamp with timezone UTC +0:00 but when i checked the devices that are configured with the source types with the error, the devices are in the other timezone i.e UTC +08:00, and we are receiving the logs that are also in the future timezone. so how can i overcome this problem with the future timestamp. the Splunk indexer time zone is UTC +0:00 please refer the screenshot.

Thanks in advance............

venky1544 · ‎06-01-2022

HI @Mohanveera1

it could be that the timestamp extraction for this sourcetype in the props.conf might be ignoring the time zone specifier probably you might want to consider using theTimezone(TZ) attribute if the event time stamp does not have a time zone

would you mind sharing the props configuration for this sourcetype

Note: if it helps karma points are appreciated/if it resolves acceptance of the solution is appreciated

Mohanveera1 · ‎06-01-2022

Hi @venky1544

Thank you for your response.

The events are having the timestamp and the devices from which the events are generating are in other time zone i.e +08:00 UTC. But the splunk time zone is +0:00 UTC.

I have searched for the props.conf for the specific sourcetype which are getting the future timestamp error. but there was no file available.

the path where is searched for the props.conf is Splunk home/etc/apps/apacinfoblox/local. so please suggest me the way to solve the issue.

How do I fix this error: One or more sourcetypes has been found to present events in the future

field extraction

inputs.conf

monitor

other

props.conf

syslog

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?