Re: Problems with time stamp

sgarcia · ‎03-23-2022

I have a device that is reporting to the splunk through syslog, that device first goes through an F5 and the F5 gives me the traffic to my heavy forwarders. The problem is that the year of the time stamp is out of date, the date when a server event is generated is 2022 and in the search head, I see it as 2017. I don't know if the problem is from the origin server at the syslog protocol level or in the transport layer or at the collection level within the splunk. This issue only occurs on 3 computers out of 10.

I have reviewed the prop settings, but if I don't see the year in the source data, I will hardly be able to modify the timestamp.

Regards

gcusello · ‎03-24-2022

Hi @sgarcia,

could you share some sample of your data, both original and parsed in Splunk if possible?

Ciao.

Giuseppe

sgarcia · ‎03-30-2022

Hello my friend

It was already solved, the props.conf file was configured and I could see the events reflected with the current date.

Regards

ITWhisperer · ‎03-23-2022

What is different about those 3 computers compared to the other 7?

sgarcia · ‎03-30-2022

Hello

It was already solved, the props.conf file was configured and I could see the events reflected with the current date.

Regards

Problems with time stamp

heavy forwarder

props.conf

syslog

transforms.conf

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

Problems with time stamp

heavy forwarder

props.conf

syslog

transforms.conf

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...