Getting Data In
Highlighted

Why are events being indexed appearing to be timestamped in the future?

Explorer

I have events that are being indexed and appearing to be timestamped in the future. The raw events contain a timezone:

2016 Sep 27 14:11:00:999 GMT +1 DOUGTEST2.C2020Tmp-Process_Archive user [BW-User]  Job-9999 C2020GetOfferByIdWS Completed

In props.conf I have:

 TIME_FORMAT=%Y %b %d %H:%M:%S.%3N %Z %:::z 

The event appears in search showing 15:11 as the time _time = 2016-09-27T15:11:00.999+01:00. The event actually happened at 14:11 British Summer Time which is GMT +1 which is what is shown in the raw event. I have my user settings at the correct timezone (GMT:London), my user locale is en_GB in the Splunk Cloud URL and all data from other data sources is showing up correctly in the indexes.

The data is going from a Universal Forwarder to a Heavy Forwarder (where the props.conf is set) and then on to Splunk Cloud.

I have tried adding a TZ = Europe/London to props.conf but that doesn't fix it.

Where am I going wrong here?

0 Karma
Highlighted

Re: Why are events being indexed appearing to be timestamped in the future?

Explorer

Found it. Time format had a dot rather than a colon in before the milliseconds. Fixed that and event time are now all good.

View solution in original post

0 Karma