Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder?

kpsajin
Explorer
‎08-30-2015 03:05 AM

Hi,

We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp.

For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015.

I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-30-2015 07:12 AM

For your UF using syslog, the timestamping will be done by the Indexer so if you would like to use DATETIME_CONFIG=CURRENT (which I would advise against; I would always use the timestamp inside the events), then you would put this in props.conf on your Indexers and restart the Splunk instances on each one and then look for events that come in after that time to see if these now are timestamped correctly.

0 Karma
Reply

kpsajin
Explorer
‎08-30-2015 11:51 PM

Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012.

2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top