Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk detecting the wrong timestamp for SUSE Linux Syslog when using a universal forwarder?

kpsajin
Explorer
‎08-30-2015 03:05 AM

Hi,

We have configured SUSE linux servers to send the syslogs to a Universal Forwarder. We found a very strange issue while the logs are indexed. Splunk is detecting the wrong year in the time stamp.

For example: If the linux server IP is 172.20.41.11, Splunk detects the year in the time stamp as 2011. If the IP is x.x.x.12, it detects year as 2012. If the IP is x.x.x.16 or x.x.x.17 or anything above 15, it detects as 2015.

I have tried to forward syslogs to Splunk Indexer directly instead of a universal forwarder and the time stamp is perfect. I tried to set DATETIME_CONFIG=CURRENT in props.conf in the indexer for the linux source types, but still no luck when the logs are coming through the forwarder. Can someone help to find a solution?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-30-2015 07:12 AM

For your UF using syslog, the timestamping will be done by the Indexer so if you would like to use DATETIME_CONFIG=CURRENT (which I would advise against; I would always use the timestamp inside the events), then you would put this in props.conf on your Indexers and restart the Splunk instances on each one and then look for events that come in after that time to see if these now are timestamped correctly.

0 Karma
Reply

kpsajin
Explorer
‎08-30-2015 11:51 PM

Thanks for the response. I also want to use the timestamp inside the event and the use of DATETIME_CONFIG=CURRENT was for testing. Below is the details of the syslog event which comes to splunk indexer via universal forwarder. In the event, date time is coming exactly after the IP address. The IP address is 172.5.41.12 and date is Aug 30 an time is 10.18.43. Unfortunately the year is not in the event and splunk detects the last bit of IP as the year which is 12 as 2012.

2012-08-30 13:18:44 08/30/2015 13:18:44 local 172.5.41.12 udp:514 linux_secure Aug 30 13:18:44 172.5.41.12 Aug 30 10:18:43 bccdb 13:18:13 Checkpoint Statistics - Avg. Txn Block Time 0.000, # Txns blocked 0, Plog used 2, Llog used 2

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...