Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I fix this error: One or more sourcetypes has been found to present events in the future

Mohanveera1
Explorer
‎06-01-2022 01:27 AM

Hello everyone,

In Splunk GUI when i run health check its showing one error like One or more source types has been found to present events in the future. All the sources are giving the correct timestamp with timezone UTC +0:00 but when i checked the devices that are configured with the source types with the error, the devices are in the other timezone i.e UTC +08:00, and we are receiving the logs that are also in the future timezone. so how can i overcome this problem with the future timestamp. the Splunk indexer time zone is UTC +0:00 please refer the screenshot.

Mohanveera1_0-1654071944547.png

Thanks in advance............

0 Karma
Reply

venky1544
Builder
‎06-01-2022 01:53 AM

HI @Mohanveera1 

it could be that  the timestamp extraction for this sourcetype in the props.conf might be ignoring the time zone specifier probably you might want to consider using theTimezone(TZ) attribute if the event time stamp does not have  a time zone

would you mind sharing the props configuration for this sourcetype

 

Note: if it helps karma points are appreciated/if it resolves acceptance of the solution is appreciated 

0 Karma
Reply

Mohanveera1
Explorer
‎06-01-2022 02:20 AM

Hi @venky1544 

 

Thank you for your response.

The events are having the timestamp and the devices from which the events are generating are in other time zone i.e +08:00 UTC. But the splunk time zone is +0:00 UTC.

I have searched for the props.conf for the specific sourcetype which are getting the future timestamp error. but there was no file available.

the path where is searched for the props.conf is Splunk home/etc/apps/apacinfoblox/local. so please suggest me the way to solve the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...