Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: The timestamp has a one hour offset
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timestamp has a one hour offset
djoiret
Explorer
10-28-2021
07:27 AM
Hello,
I am using "Splunk_TA_juniper" and I noticed a new problem with timestamp: there is a one hour offset for the timestamp compared to the time in the event. For instance, when I have an event whose _raw value starts with "Oct 28 15:12:37 fw-01-gra RT_FLOW: ...", the timestamps is "2021-10-28T16:12:37.000+02:00" (16h instead of 15h). In addition, the event will only appear after an hour after its received by the indexer, in fact when the timestamp value is less than the current time.
This behaviour is new. When I examine events for september (for instance), the timestamp matches the time in the event.
I tried to restart Splunk and the forwarder, nothing was changed. I haven't modify the configuration files for a long time, and I don't know what to do.
Do you have an idea of what is going on or a possible solution?
Regards
Denis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
djoiret
Explorer
11-03-2021
01:18 AM
Hello,
The problem is not from the sources. I have several logs sources (Juniper logs, "authpriv" from Linux servers, Cisco ESA logs, etc.) and all had this 1 hour offset between 10/28 and 10/31 02:00:00. You can see in the joined image two events, one just before 02:00:00 (at 01:59:59) and the second one at 02:00:00. The timestamp for the first event is wrong, the timestamp for the second event is correct.
Denis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
10-28-2021
09:46 AM
It sounds like the country where the source resides recently changed from Summer time to standard time, but the source is still reporting timestamps in Summer time. It could be the application at fault or a Splunk setting. Can you share the props.conf settings for that sourcetype?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
djoiret
Explorer
11-02-2021
09:47 AM
Hello,
After some other investigations, I noticed that in fact ALL events having syslog format for date and time had this 1 hour offset. The problem started on 10/28/2021 00:00:00 until 10/30/2021 23:59:59. All events after 10/31/2021 00:00:00 have a correct timestamp, so the problem just disappeared.
In France we changed from summer time to winter time on Sun 10/31/2021 at 03:00:00 (at 03:00:00, local time was changed to 02:00:00).
I never noticed this problem before, I have been using Splunk since 2014. In my opinion, this looks like a bug in Splunk. I know no algorithm for changing summer time to winter time taking place on tuesday.
For the application Splunk_TA_juniper, there was no parameters about time in "default/props.conf". There are no parameter either in system props.conf.
I added these parameters in "local/props.conf" of application Splunk_TA_juniper before my previous post :
[juniper:junos:firewall]
TIME_FORMAT = "%b %e %T"
TZ = Europe/Paris
This did not change anything.
Denis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
isoutamo
SplunkTrust
11-02-2021
01:52 PM
Hi
I'm not sure if this related anything in your case, but we have noticed that there are still some network equipments, which cannot handle timestamps correctly with syslog feed when summertime starts or ends. Usually it has require reboot and time by time even this haven't helps. There could be two different timestamp in event and one is right and second one is not.
r. Ismo
I'm not sure if this related anything in your case, but we have noticed that there are still some network equipments, which cannot handle timestamps correctly with syslog feed when summertime starts or ends. Usually it has require reboot and time by time even this haven't helps. There could be two different timestamp in event and one is right and second one is not.
r. Ismo
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
