Getting Data In

Splunk date going backwards?

johnny21
Path Finder

Splunk noobie here - basic install on Centos 7, forwarding syslog from security device and the reported date seems to be going backwards, date in syslog message is correct (example below), where should I be looking/checking?

alt text

0 Karma
1 Solution

johnny21
Path Finder

Follow up resolution that seems to work - I didn't realize I needed to modify the props.conf file AND the inputs.conf files.

props.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/props.conf
[sophos:syslog]
TIME_PREFIX = <..>
TIME_FORMAT = %Y:%m:%D-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19

inputs.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/inputs.conf
[tcp://10.0.100.1:5114]
connection_host = ip
source = UTM Syslog
sourcetype = sophos:syslog

View solution in original post

0 Karma

johnny21
Path Finder

Follow up resolution that seems to work - I didn't realize I needed to modify the props.conf file AND the inputs.conf files.

props.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/props.conf
[sophos:syslog]
TIME_PREFIX = <..>
TIME_FORMAT = %Y:%m:%D-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19

inputs.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/inputs.conf
[tcp://10.0.100.1:5114]
connection_host = ip
source = UTM Syslog
sourcetype = sophos:syslog

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

johnny21
Path Finder

Also as information this unique syslog is coming from a Sophos UTM security appliance.

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By default, Splunk displays the most recent events first. That's why dates appear to be going backwards.

However, you appear to have an odd timestamp format in your events. To ensure Splunk processes them properly and as a Best Practice, you should add the following to the [syslog] stanza of the appropriate props.conf file

TIME_PREFIX = >
TIME_FORMAT = %Y:%m%;d-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = false
---
If this reply helps you, an upvote would be appreciated.
0 Karma

johnny21
Path Finder

After making the change when I run splunk btool check --debug I get an error:

Invalid key in stanza [source::syslog] in /opt/splunk/etc/system/local/inputs.conf, line 4-7

Is this the correct location where I am supposed to modify props.conf?
Is this the correct way to specify a syslog stanza?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!