Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time is wrong. Events showing in the past (which are present)

sirsam28
Loves-to-Learn
‎12-11-2023 10:44 AM

Hi,

 

Rather new to splunk. I got some logs ingested but they are showing Time incorrectly. I have my TZ set on the UF server, splunk server and in my preferences as EST but I am getting this:

12/11/23
8:35:24.000 AM
 
2023-12-11T13:35:24+00:00 routerXXXXXX

 

If I look at the field _time I have: 2023-12-11T08:35:24.000-05:00

I suspect the source host or I need a props.conf to fix?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2023 11:05 AM

Please share the props.conf stanza for that sourcetype.  It looks like the TIME_FORMAT string may be incorrect.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sirsam28
Loves-to-Learn
‎12-11-2023 11:09 AM

So this is a new install and new source. 

In the splunk server there is no props.conf file. I assume I have to create it?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-11-2023 12:22 PM

Whiile Splunk can sometimes guess the proper settings for the sourcetype (and sometimes - as shown in this case - does it quite well), as @richgalloway mentioned - it's good to have the so-called "great eight" defined for each sourcetype to make it work consistently and efficiently.

Having said that - in this particular case your main issue is wrong time in your events!

You have your router's time set to a wrong value. Configure it properly. Whether it's reported as UTC or your local timezone is secondary as long as the proper timezone information is supplied (and in your case it is).

0 Karma
Reply

sirsam28
Loves-to-Learn
‎12-11-2023 01:02 PM

So interesting enough, in the router's cli:

 

xxxx@router:~ # date
Mon Dec 11 15:55:57 EST 2023

Also in the GUI showing correctly. I think a props.conf might be the route as it doesnt know how to translate it?

Would anyone be able to help craft an example stanza for it? I just dont want to mess up the logging further

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-11-2023 02:34 PM

That is indeed interesting because supposedly keeping track of the timezome but in the end sending the timestamp with local time but explicitly saying that's UTC is not even a mistake. It's almost a crime. What ingenious piece of equipment is that if you can share this with us?

0 Karma
Reply

sirsam28
Loves-to-Learn
‎12-12-2023 04:48 AM

So its a opnsense firewall 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2023 01:43 PM

Give these settings a go

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%D%:z
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sirsam28
Loves-to-Learn
‎12-12-2023 04:52 AM

Thanks for that. I created the file in /opt/splunk/etc/system/local/props.conf as follows:

[default]


[host::router.xxxxxxxx]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%D%:z
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true

I am still getting the descrepency. Perhaps my props.conf file is not the correct format or in the right spot for Splunk to read?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 05:19 AM

On which instance did you install those settings?  They should be on the indexers (and heavy forwarders, if you have them).  Did you restart the instances after modifying the file?  Are you looking at new data?  The changes will not affect indexed data.  Do you have the correct host name in the stanza?  Have you tried using the sourcetype name instead of host?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2023 12:05 PM

Every sourcetype should have a stanza in props.conf.  Create a props.conf file if there isn't a local copy already.

The stanza should contain these settings, at a minimum:

SHOULD_LINEMERGE
LINE_BREAKER
TIME_PREFIX
TIME_FORMAT
MAX_TIMESTAMP_LOOKAHEAD
TRUNCATE
EVENT_BREAKER_ENABLE
EVENT_BREAKER

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-11-2023 11:03 AM

And that seems about right. Your router reports 13:35GMT so Splunk parses it as 13:35GMT and shows it to you in your local time zone.

Your data quality is poor - configure your router to either report proper time zone or proper time (or even better - to report proper time in proper timezone).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...