Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time drift between logs and time column

sigma
Path Finder
‎03-16-2024 02:35 PM

Hi all,

I have installed and configured  fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours.
I also added TZ = MyTimeZone to the props.conf of the app but problem still exists.

For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).

imageedit_2_2757226905.gif

 

 Any ideas are appreciated.

Tags (2)
0 Karma
Reply

marnall
Motivator
‎03-17-2024 01:33 AM

I would recommend making the following checks:

1. The props.conf file is on the indexer machines
2. The props.conf file is readable by the splunk user
3. The TZ value in the props.conf file reflects the timezone of the logs
4. In your Splunk User Preferences in the webUI, your timezone is set to your current timezone

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-18-2024 03:19 AM

Hi

it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect.

Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...