Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time drift between logs and time column

sigma
Path Finder
‎03-16-2024 02:35 PM

Hi all,

I have installed and configured  fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours.
I also added TZ = MyTimeZone to the props.conf of the app but problem still exists.

For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).

imageedit_2_2757226905.gif

 

 Any ideas are appreciated.

Tags (2)
0 Karma
Reply

marnall
Motivator
‎03-17-2024 01:33 AM

I would recommend making the following checks:

1. The props.conf file is on the indexer machines
2. The props.conf file is readable by the splunk user
3. The TZ value in the props.conf file reflects the timezone of the logs
4. In your Splunk User Preferences in the webUI, your timezone is set to your current timezone

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-18-2024 03:19 AM

Hi

it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect.

Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...