Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why UTC events suddenly started displaying as PST instead of Eastern Time?

att35
Builder
‎10-11-2024 08:58 AM

Hi,

We have data from Change Auditor coming via HEC setup on a Heavy Forwarder. This HF instance was upgraded to Version 9.2.2. After that, I am seeing a difference in the way Splunk displays new events on SH. It is now converting UTC->PST.  I ran a search for previous week and for those events it is converting timestamp correctly, from UTC-> Eastern. 

I am a little confused since both searches are done from same search head against same set of indexers. If there was a TZ issue, woudn't Splunk have converted both incorrectly?  I also ran same searches on indexer with identical output. Recent events in PST whereas older events continue to show as EST.

Here are some examples

For previous week

 

TZ_Correct_PreviousWeek.png

Recent. Splunk shows a UTC->PST conversion instead.

TZ_Incorrect_Today.png

I did test this manually via Add Data and Splunk is correctly formatting it to Eastern. How can I troubleshoot why recent events in search are showing PST conversion?

My current TZ setting on SH is still set to Eastern Time. Also confirmed that system time for HF, indexers and Search Heads is set to Eastern. 

Thanks 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 10:58 AM

What are your setting for that sourcetype/source/host? And how are you pushing the events (to which endpoint)?

0 Karma
Reply

att35
Builder
‎10-11-2024 11:31 AM

@PickleRick Updated the post with the settings in place on HF.

Data is being received at Heavy Forwader via HEC input. It then gets forwarded to indexers. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 01:57 PM

Yes, I understand that it's pushed to HEC input on the HF. But to which API endpoint? Because there are at at least three endpoints for the HEC input

/services/collector/raw

/services/collector/event

/services/collector/mint

Additionally the /event endpoint can accept parameters changing the ingestion process.

So I repeat my question - to which endpoint is your data being sent?

0 Karma
Reply

att35
Builder
‎10-11-2024 03:35 PM

@PickleRick 

It is sending to services/collector/event

HEC_endpoint.png

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2024 03:58 PM

So your timestamp extraction definition is not used because unless &auto_extract_timestamp=true is added to the /event URI, that endpoint skips timestamp extraction completely and uses the "time" field from the event's envelope or (if there isn't one) a current timestamp from the receiving component (in your case - the HF).

0 Karma
Reply

att35
Builder
‎10-24-2024 08:31 AM

@PickleRick 

 

I changed the URL to use raw endpoint. This seems to have fixed the timestamp but Splunk is now breaking the events at the timestamp fields.

utc_issue.png

I have added  KV_MODE = json for this sourcetype on both HF and SH but that did not fix the line breaking.

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2024 11:34 AM

KV_MODE has nothing to do with line breaking.

And I'd expect that you simply don't have properly set up line breaker and you have line merging enabled. Which results in Splunk splitting your input stream at each line and then merges the lines back (which is also very ineffective performancewise).

0 Karma
Reply

dural_yyz
Builder
‎10-11-2024 10:52 AM

Please provide your props.conf stanza for the specific sourcetype.  In my experience this is an indication where UTC is not explicitly set and the local HF timezone is being used which is not Eastern.  I'm not saying that is the case here for sure because perhaps you do have the TZ explicitly set.

The golden rule is never let Splunk automagically guess the time.  It's right almost always but when it's not it can mess with production data at the worst times.

0 Karma
Reply

att35
Builder
‎10-11-2024 11:27 AM

@dural_yyz 

I dont see any specific settings for this sourcetype under local props.conf. I added TIME_PREFIX and TZ values but that didnt change anything. 

This is on the source which is getting the data, i.e. Heavy Forwarder. Do I need to place any of these settings on indexer/SH as well?

[change:auditor]
category = Custom
pulldown_type = 1
TIME_PREFIX = timeDetected
TZ = UTC

 

System time zone on HF is set to EDT

 

HF_systemtime.png

 

0 Karma
Reply

dural_yyz
Builder
‎10-11-2024 12:37 PM

TIME_PREFIX is a regex match for what immediately precedes your timestamp.  There are extra quotes, spaces, and what appears to be json key value pair identifiers.  I would make the value more explicit and add a MAX_TIMESTAMP_LOOKAHEAD key once you establish a proper match above.

Reply

att35
Builder
‎10-11-2024 03:31 PM

Thanks @dural_yyz 

Will try that.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...