Why is the time and aggregated time received from ...

osakachan · ‎02-28-2018

I spent all morning trying to resolve the next problem.
I work in UTC + 1:00 and I have the machines, and a not splunk forwarder and splunk indexer configured in UTC + 1:00. The same for the splunk accounts.

When I receive a log from one host who doesn't send date/time in their logs, time works perfectly. But in the same index, I have a host who sends date/time in the logs and here is when the problem starts.

I have the correct date/time inside the log but Time and aggregated time are wrong for -1:00 in Splunk.

I tried several props.conf like TZ and nothing changed. The only thing that "worked" was

[sourcetype]
TIME_PREFIX = \"time\"\=
TIME_FORMAT = %H:%M:%S

But Splunk started to index in one event varius logs and still have the system time wrong. Ex:

2/28/18
2:01:04.000 PM

<189>date=2018-02-28 time=13:00:42 ****************************************** date=2018-02-28 time=14:00:42 logid=.....

Thanks for reading.

somesoni2 · ‎02-28-2018

Does your logs have double quotes around the field date or time?? If yes, give this a try

[sourcetype]
 TIME_PREFIX = \"date\"\=
 TIME_FORMAT = %Y-%m-%d "time"=%H:%M:%S

osakachan · ‎02-28-2018

Sorry, I used a wrong regex.

I tried that without exp for the ". and doesnt have errors but I still have one time wrong. I tried to this conf

[fgt_logs]
TIME_PREFIX = vd="root" date\=
TIME_FORMAT = %Y-%m-%d time=%H:%M:%S

[host::ESALCMUS01]
TZ = Europe/Helsinki

or with the correct TZ

[host::ESALCMUS01]
TZ = Europe/Madrid

An example how its rigth now.

osakachan · ‎02-28-2018

Ouch, in the img, the time after the img is 8:50

Why is the time and aggregated time received from a host is wrong inside the logs?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life