Re: Indexed time and event logged time is mismatch...

gkumarashanmuga · ‎06-06-2018

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues. I guess need to use props.conf timestamp settings.

Sample event :

I viewed it in list mode

Time
6/6/18
11:28:09.000 AM

EVENT
20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@111] Test Backup succeeded

Likewise all the events are generated

If i viewed in Raw mode :

20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@11] Test Backup succeeded.

DEAD_BEEF · ‎06-06-2018

I don't see anything wrong with the time either. It may help if you included a screenshot or something. Both timestamps are 11:28:09. What's the issue?

Richfez · ‎06-06-2018

I'm not sure I see what's wrong. I see no year in your raw event, so from where would Splunk get a value to use other than "The current year?"

Unless - is the "20 6" supposed to be "2006" or "2016" or "2026" or something?

Do you have any control over the format of the raw events?

Indexed time and event logged time is mismatching

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation