Getting Data In

Splunk date going backwards?

johnny21
Path Finder

Splunk noobie here - basic install on Centos 7, forwarding syslog from security device and the reported date seems to be going backwards, date in syslog message is correct (example below), where should I be looking/checking?

alt text

0 Karma
1 Solution

johnny21
Path Finder

Follow up resolution that seems to work - I didn't realize I needed to modify the props.conf file AND the inputs.conf files.

props.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/props.conf
[sophos:syslog]
TIME_PREFIX = <..>
TIME_FORMAT = %Y:%m:%D-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19

inputs.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/inputs.conf
[tcp://10.0.100.1:5114]
connection_host = ip
source = UTM Syslog
sourcetype = sophos:syslog

View solution in original post

0 Karma

johnny21
Path Finder

Follow up resolution that seems to work - I didn't realize I needed to modify the props.conf file AND the inputs.conf files.

props.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/props.conf
[sophos:syslog]
TIME_PREFIX = <..>
TIME_FORMAT = %Y:%m:%D-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19

inputs.conf file

[splunk@localhost ~]$ cat /opt/splunk/etc/apps/search/local/inputs.conf
[tcp://10.0.100.1:5114]
connection_host = ip
source = UTM Syslog
sourcetype = sophos:syslog
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

johnny21
Path Finder

Also as information this unique syslog is coming from a Sophos UTM security appliance.

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By default, Splunk displays the most recent events first. That's why dates appear to be going backwards.

However, you appear to have an odd timestamp format in your events. To ensure Splunk processes them properly and as a Best Practice, you should add the following to the [syslog] stanza of the appropriate props.conf file

TIME_PREFIX = >
TIME_FORMAT = %Y:%m%;d-%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.
0 Karma

johnny21
Path Finder

After making the change when I run splunk btool check --debug I get an error:

Invalid key in stanza [source::syslog] in /opt/splunk/etc/system/local/inputs.conf, line 4-7

Is this the correct location where I am supposed to modify props.conf?
Is this the correct way to specify a syslog stanza?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...