Solved: events with future timestamp

sarit_s · ‎06-05-2019

Hello

this is my event:

Jun 19 12:31:44 : Info:copyconfig.cpp:319: copyConfig: copy configuration to /tmp/t5871.cfg

this is the source:

s3://ssyssplunk/AMER/FDM/F123/D/D02/2019-05-31T13:17:14.002Z_1.91.0.192_1.85.0.0_2.0.5608.0/75fbcf50-a6a4-4520-aa58-f63498a9c265_System
Log

this is my sourcetype configuration :

[fdm_f123_systemLog]
BREAK_ONLY_BEFORE = ^\w\s\d+\s\d{2}:\d{2}:\d{2}
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 15
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %b  %d %H:%M:%S
TIME_PREFIX = ^
TRUNCATE = 0
category = Custom
disabled = false
pulldown_type = 1

and the timestamp for this event (and many others) looks like :

2019-06-07T12:41:08.000+00:00

how come i got future date and also not the correct one ?

Azerty728 · ‎06-05-2019

Hi,

You should try

TIME_FORMAT = %b %e %H:%M:%S

instead of

TIME_FORMAT = %b  %d %H:%M:%S

It seems you have an additional space between %b and %d too, which probably does not help...

View solution in original post

ddrillic · ‎06-05-2019

It seems that you have the Zule Z there ; - 2019-05-31T13:17:14.002Z

A bit about it at - What is a trailing Z in a time stamp?

Azerty728 · ‎06-05-2019

Hi,

You should try

TIME_FORMAT = %b %e %H:%M:%S

instead of

TIME_FORMAT = %b  %d %H:%M:%S

It seems you have an additional space between %b and %d too, which probably does not help...

events with future timestamp

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?