Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Event Log time and Indexed time different?

Atchyuth_P
Path Finder
‎08-03-2022 06:54 PM

hi,

Please check with below screenshot

Atchyuth_P_1-1659577705527.png

The indexed time and event log time both are different. Kindly let me know the solution to fix this error.

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

wapese3400
Loves-to-Learn
‎08-05-2022 09:07 AM

DSCN0012.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 11:43 PM

Hi @Atchyuth_P,

this means thet there's a parsing error.

Could your share a sample of your logs to find the correct configuration?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:40 PM

Hi @gcusello 

Please check the below screenshot for reference.

Atchyuth_P_0-1659666952599.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds 

Atchyuth_P_1-1659667143760.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 12:56 AM

Hi @Atchyuth_P,

please share your logs as text in the "Insert/Edit Code Sample" otherwise I cannot use them.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:36 PM

Hello,

You will need to provide timestamp extraction settings to correctly identify that time stamp, if none of the pre trained source types are picking it up.

I suggest you try to add that data using different sourcetypes in the data preview tool, to see which on extracts your time stamp, then use that setting in your own sourcetype settings.

https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/HowSplunkextractstimestamps

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#Timestamp_extraction_configuratio...

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:46 PM

Hi @chaker 

 

Thank you so much. I have learned a lot about Splunk while watching your videos and those helped me to shift my career transition.

Please check the below screenshot for reference.

Atchyuth_P_1-1659667441524.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds

Atchyuth_P_2-1659667567922.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:39 PM

This may help you.

https://www.youtube.com/watch?v=Q5EWCT79nZ4

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...