Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Event Log time and Indexed time different?

Atchyuth_P
Path Finder
‎08-03-2022 06:54 PM

hi,

Please check with below screenshot

Atchyuth_P_1-1659577705527.png

The indexed time and event log time both are different. Kindly let me know the solution to fix this error.

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

wapese3400
Loves-to-Learn
‎08-05-2022 09:07 AM

DSCN0012.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 11:43 PM

Hi @Atchyuth_P,

this means thet there's a parsing error.

Could your share a sample of your logs to find the correct configuration?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:40 PM

Hi @gcusello 

Please check the below screenshot for reference.

Atchyuth_P_0-1659666952599.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds 

Atchyuth_P_1-1659667143760.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 12:56 AM

Hi @Atchyuth_P,

please share your logs as text in the "Insert/Edit Code Sample" otherwise I cannot use them.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:36 PM

Hello,

You will need to provide timestamp extraction settings to correctly identify that time stamp, if none of the pre trained source types are picking it up.

I suggest you try to add that data using different sourcetypes in the data preview tool, to see which on extracts your time stamp, then use that setting in your own sourcetype settings.

https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/HowSplunkextractstimestamps

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#Timestamp_extraction_configuratio...

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:46 PM

Hi @chaker 

 

Thank you so much. I have learned a lot about Splunk while watching your videos and those helped me to shift my career transition.

Please check the below screenshot for reference.

Atchyuth_P_1-1659667441524.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds

Atchyuth_P_2-1659667567922.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:39 PM

This may help you.

https://www.youtube.com/watch?v=Q5EWCT79nZ4

Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...
Top