Logs do not appear with current time when conducti...

joelrivera10 · ‎09-10-2020

I have a firewall that is sending the logs using UTC time. Actually all of our Network devices send the data using UTC. I extracted the fields of the log file because it’s separated by commas. The problem that I am having is that the Splunk server is using EDT (-4 from UTC). So when I do searches and If I select last 60 minutes or anything relative it shows the logs from 4 hours ago instead of the logs that happened from 60 minutes to now. This is the only device on my network having this problem in Splunk. I am a power user not the administrator because of how roles are separated where I work. I tried changing the DATETIME_CONFIG in the sourcetype to CURRENT in the sourcetype settings but still when conducting the searches it collects the data using UTC and doesn’t show the latest data. I have been getting away by always remembering to change the exact time window and adding 4 hours. In order to get my dashboards to present the right time I have to to use the time picker but it’s starting to get annoying. It has happened as I have been troubleshooting forgetting to change the time and going crazy as I am not able to find the correct traffic data. To pinpoint the problem. As I said earlier, I am not an administrator I am a power user only. So I do not have access to the syslog_ng server that collects the syslog data and forwards to the search head server. And I do not have access to the search head server, so I cannot change the props.conf file as I have seen people recommend. I am only able to make changes in the Splunk web portal. Any help is appreciated.

venkatasri · ‎09-10-2020

Hi,

Your logs time has been set during index time as UTC. Login to Splunk Search head and Changing the 'Time zone' under User specific 'preferences' to EDT ( GMT - 4 hours) would help to resolve your issue.

As a power user you can do the change yourself with out Admin help.

----

Please upvote if this helps!

joelrivera10 · ‎09-11-2020

Thanks for you help. Unfortunately, that didn't work. I do have access to the sourcetype where you can change the timestamp extraction. It is currently set to Auto.

isoutamo · ‎09-11-2020

Hi

Can you send the example of your log?

Usually it's best practice to set

TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TZ (if needed)

on props.conf to match real timestamp on your events.

Easiest to test those are use dev instance n your workstation and there Settings -> Add Data -> Files and Directories -> Monitor. Then just clicking forward and use your test sample to verify that you will see event correctly formatted. When everything is ok, then add this props.conf to current config on your production system.

r. Ismo

joelrivera10 · ‎09-14-2020

TZ and Time format I understand but TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD. I do not know how to configure that. Unfortunately I do not think I can share my logs. What I can tell you its a Firewall log that saves in csv format. There is a splunk app that could be installed for this device but unfortunately I do not have admin access where I could use that app instead. Splunk has helped me out a lot so I believe its important that I get this right. Because of work politics I do not have access to the props.conf file directly but those options are configurable through the settings -> data ->source types .

Logs do not appear with current time when conducting searches

CSV

sourcetype

time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life