Getting Data In

Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder?

kpsajin
Explorer

Hi,

We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp.

For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015.

I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution?

0 Karma

woodcock
Esteemed Legend

For your UF using syslog, the timestamping will be done by the Indexer so if you would like to use DATETIME_CONFIG=CURRENT (which I would advise against; I would always use the timestamp inside the events), then you would put this in props.conf on your Indexers and restart the Splunk instances on each one and then look for events that come in after that time to see if these now are timestamped correctly.

0 Karma

kpsajin
Explorer

Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012.

2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...