Timestamp of events is wrong after indexer reboot?

dritjon · ‎02-20-2023

Hello, I'm having a problem where the _time field of events does not match the actual events. This happened after I rebooted the splunk server.

As you can see from the pics, before the reboot the Time stamp, _time matches the time field

After the reboot the _time stamp is 2 hours before the time field

I checked the local linux server time, the user's Splunk time, they're all OK. Where does Splunk change the time of the events?

ITWhisperer · ‎02-20-2023

The timestamp _time is being picked up from the same place in the event before and after the reboot.

Note in the before image the time is 11:59:34 PM which tallies with 23:59:34 from the first timestamp in the event. The second highlighted time is 1 second earlier i.e. time=23:59:33.

dritjon · ‎02-20-2023

> The timestamp _time is being picked up from the same place in the event before and after the reboot.

But the path is the same. I did not change anything, only rebooted the server

ITWhisperer · ‎02-20-2023

The event has been ingested from somewhere which has written a time field as part of the data. Actually, there are two time fields, one at the beginning of the event (which is the one Splunk appears to be using) and one further on in the event record. Splunk does not normally change this event data, it merely interprets what it finds. It appears to be interpreting the first time field both before and after the reboot. Has something changed on the server which is producing these events?

Timestamp of events is wrong after indexer reboot?

time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!