Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is some data source indexed one hour in the future?

emallinger
Communicator
‎04-15-2022 08:32 AM

Hi,

Some data source is indexed one hour in the future (probably since TZ shift => twice a year hour change in France !! this time +0100hour).

We were on gmt+1, now we're on gmt+2.


I don't know where the problem is.
- checked the server ntp => ok, gmt+2 updated
- checked the data source file => ok
- tried to reproduced in dev env on a mono-instance : issue not reproducted !

- this is the only data source with the issue

My prod env is distributed (SHC, Indexer Cluster and multiple forwarders)

- data is a jsonl file.

I'm soo lost !!

Thank you for your help !!

Ema

on the indexer cluster :

[mysourcetype]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX= "dte":"
TIME_FORMAT = %d/%m/%Y %H:%M:%S
TRUNCATE = 0
MAX_DAYS_AGO = 4000
category = Structured
disabled = false
pulldown_type = true

 

data sample :

{"idj":"3108824152","dce":"IDN","fce":"IDN2","ace":"176","dte":"08/04/2022 14:44:31","org":"GN","dmc":"2","idu":"211151","csu":"00082827","lsu":"CROSS BDOHRIJ GHBGD14 ","ctx":"Identifiant:PN-003042021007790-ARD-PPM-70732201#Procédure de référence:CIAHTDT CENTRAL DE CNJAEN-2021-007790#Type personne:Physique#Qualité personne:Mise en cause#Nom:XXX#Prénom:yyy#Lieu de naissance:CAEN#Date de naissance:05/01/1991#","idd":"PN-0030428541021007790-ARD-PPM-7074532201","ise":"N","cts":[{"idj":"3108824152","nom":"XXX","pre":"yyy","jne":"5","mne":"1","ane":"1981","lne":"CAEN","cot":"","not":"","qot":"","nuo":"","ctt":"","gtt":"","qtt":"","ntt":""}]}

 

This data is indexed at  08/04/2022 15:44:31 for 08/04/2022 14:44:31 !

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-15-2022 08:46 AM

Your source doesn't report the timezone so the indexer/hf, since no tz is defined for the sourcetype, interprets with its local timezone.

0 Karma
Reply

emallinger
Communicator
‎04-19-2022 01:27 AM

Hello,

 

Yes, but source and indexer are in the same time zone, at the same hour.

So why the difference ?

Thanks for your suggestions,

Ema

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...