Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the time and aggregated time received from a host is wrong inside the logs?

osakachan
Communicator
‎02-28-2018 05:19 AM

I spent all morning trying to resolve the next problem.
I work in UTC + 1:00 and I have the machines, and a not splunk forwarder and splunk indexer configured in UTC + 1:00. The same for the splunk accounts.

When I receive a log from one host who doesn't send date/time in their logs, time works perfectly. But in the same index, I have a host who sends date/time in the logs and here is when the problem starts.

I have the correct date/time inside the log but Time and aggregated time are wrong for -1:00 in Splunk.

I tried several props.conf like TZ and nothing changed. The only thing that "worked" was 

[sourcetype]
TIME_PREFIX = \"time\"\=
TIME_FORMAT = %H:%M:%S

But Splunk started to index in one event varius logs and still have the system time wrong. Ex:

2/28/18
2:01:04.000 PM

<189>date=2018-02-28 time=13:00:42 ****************************************** date=2018-02-28 time=14:00:42 logid=.....

Thanks for reading.

0 Karma
Reply

somesoni2
Revered Legend
‎02-28-2018 11:37 AM

Does your logs have double quotes around the field date or time?? If yes, give this a try

[sourcetype]
 TIME_PREFIX = \"date\"\=
 TIME_FORMAT = %Y-%m-%d "time"=%H:%M:%S
0 Karma
Reply

osakachan
Communicator
‎02-28-2018 11:58 PM

Sorry, I used a wrong regex.

I tried that without exp for the ". and doesnt have errors but I still have one time wrong. I tried to this conf

[fgt_logs]
TIME_PREFIX = vd="root" date\=
TIME_FORMAT = %Y-%m-%d time=%H:%M:%S

[host::ESALCMUS01]
TZ = Europe/Helsinki

or with the correct TZ

[host::ESALCMUS01]
TZ = Europe/Madrid

An example how its rigth now.
An example how its rigth now.

0 Karma
Reply

osakachan
Communicator
‎02-28-2018 11:59 PM

Ouch, in the img, the time after the img is 8:50

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...