Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem with time in Edge Processor

adrifesa95
Engager
‎04-10-2024 04:08 AM

Hello,

I am receiving darktrace events through my Edge Processor as a Forwarder and I am a bit new to the SPL2 pipeline. It can probably be solved by transforming something in the pipeline.

The problem is that I am indexing events with a _time of -5h and a 2h difference from the event time stamp. Here is an example:

adrifesa95_1-1712747276840.png

 

Time in the Edge Processor:

adrifesa95_0-1712747181181.png

It should be noted that the rest of the events that I ingest through this server are arriving at the correct time.

Labels (2)
Labels
0 Karma
Reply

adrifesa95
Engager
‎04-18-2024 08:11 AM

Yes, but nothing relevant

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-10-2024 05:40 PM

Look at the raw text rather than the JSON to see what Splunk may be using for timestamp detection. The JSON view is sorted and Splunk will only look a certain distance into the event to detect a timestamp (128 bytes by default).

If it cannot find a timestamp, then it will use current time

https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Propsconf#Timestamp_extraction_configuratio...

0 Karma
Reply

adrifesa95
Engager
‎04-11-2024 12:37 AM

Here the raw:
adrifesa95_0-1712821023278.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-11-2024 04:42 PM

That looks like it is more than 128 characters into the event, so you should set up MAX_TIMESTAMP_LOOKAHEAD and optionally TIME_PREFIX for your sourcetype for that data.

 

0 Karma
Reply

adrifesa95
Engager
‎04-16-2024 01:48 AM

How can I do this? Note that the forwarder is an Edge Processor and you can't touch the conf files, everything is modified in the GUI.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-16-2024 04:58 PM

OK, I'm unsure where the time will get extracted, but have you looked at this document

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/EdgeProcessor/TimeExtractionPipeline

 

0 Karma
Reply

adrifesa95
Engager
‎04-23-2024 03:10 AM

yes...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...