Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time drift between logs and time column

sigma
Path Finder
‎03-16-2024 02:35 PM

Hi all,

I have installed and configured  fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours.
I also added TZ = MyTimeZone to the props.conf of the app but problem still exists.

For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).

imageedit_2_2757226905.gif

 

 Any ideas are appreciated.

Tags (2)
0 Karma
Reply

marnall
Motivator
‎03-17-2024 01:33 AM

I would recommend making the following checks:

1. The props.conf file is on the indexer machines
2. The props.conf file is readable by the splunk user
3. The TZ value in the props.conf file reflects the timezone of the logs
4. In your Splunk User Preferences in the webUI, your timezone is set to your current timezone

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-18-2024 03:19 AM

Hi

it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect.

Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...