Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I fix this error: One or more sourcetypes has been found to present events in the future

Mohanveera1
Explorer
‎06-01-2022 01:27 AM

Hello everyone,

In Splunk GUI when i run health check its showing one error like One or more source types has been found to present events in the future. All the sources are giving the correct timestamp with timezone UTC +0:00 but when i checked the devices that are configured with the source types with the error, the devices are in the other timezone i.e UTC +08:00, and we are receiving the logs that are also in the future timezone. so how can i overcome this problem with the future timestamp. the Splunk indexer time zone is UTC +0:00 please refer the screenshot.

Mohanveera1_0-1654071944547.png

Thanks in advance............

0 Karma
Reply

venky1544
Builder
‎06-01-2022 01:53 AM

HI @Mohanveera1 

it could be that  the timestamp extraction for this sourcetype in the props.conf might be ignoring the time zone specifier probably you might want to consider using theTimezone(TZ) attribute if the event time stamp does not have  a time zone

would you mind sharing the props configuration for this sourcetype

 

Note: if it helps karma points are appreciated/if it resolves acceptance of the solution is appreciated 

0 Karma
Reply

Mohanveera1
Explorer
‎06-01-2022 02:20 AM

Hi @venky1544 

 

Thank you for your response.

The events are having the timestamp and the devices from which the events are generating are in other time zone i.e +08:00 UTC. But the splunk time zone is +0:00 UTC.

I have searched for the props.conf for the specific sourcetype which are getting the future timestamp error. but there was no file available.

the path where is searched for the props.conf is Splunk home/etc/apps/apacinfoblox/local. so please suggest me the way to solve the issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...