Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is status superimposed on our logs?

ArtistOfXtreme
Engager
‎11-16-2022 10:28 AM

Hello Guys!

Is my first post so sorry if the title is not as specific as it should be

Look, we have an order tracking report here

The first status is label created at 10:02

ArtistOfXtreme_0-1668622600908.png

 

Later, a new status "arrived_at_facility" is added, and even tough that's the latest one. "Label_created" is superimposed 

ArtistOfXtreme_1-1668622842942.png

 

And this continues on and on, the tracking statuses are arriving as normal, but label_created is continued being moved as the latest one.

ArtistOfXtreme_2-1668623180224.png

So our tracking report always takes "label_created" as the latest status, instead of something else as "in_transit" 

Any ideas of what could be wrong with our logs?

Thanks in advance guys. Any additional info you can need, ask away 🙂

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2022 11:19 PM

Is this one event (in Splunk terms), i.e. are all the tracking details rewritten to the log whenever there are more details?

If so, you can take the most recent event, with all the details in, break it up into separate splunk events, with the appropriate adjustments to the _time field to get a timeline of tracking detail events

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-16-2022 03:14 PM

Looks like the basic problem is to do with your event timestamping.

Your label created event has the datetime field as 2022-11-09T10:02:42Z, which is a UTC time (because it has Z on the end).

Then the subsequent events have 

arrived_at_facility: 2022-11-08T17:14:00Z
unknown: 2022-11-09T00:34:00Z
departed_origin_facility: 2022-11-08T23:34:00Z

and these are all UTC times, so if Splunk is configured to extract the event time from this field, then your events appear to be all out of sync, so as Splunk works on event "_time", the label_created will always be latest.

You need to address the time ingestion timestamping - that will depend on how your data is coming in and the systems that are producing it.

If you cannot address this, then you can treat the "_indextime" field as _time and do something like

my data search
| eval _time=_indextime
more search...

but this is not a good practice, unless you have no other option - it will not always be guaranteed to be correct .

If the generating systems are in different time zones, then they appear to be putting incorrect times into the data .

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 01:34 PM

Are the logs being produced this way by the source system or is this produced by Splunk?  If the latter then what is the SPL that produced the output?

FTR. the label_created event is NOT the latest status, it's just last on the list.  Note the datetime fields.  By default, Splunk displays events in reverse time order so the most recent event is first, not last.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...