_time is wrong

sarit_s · ‎01-31-2020

Hello

i'm creating a sample of some poc so i added data manually from the "add data" option.
when reviewing the time format from the "add data" option i see everything extracting perfectly but when searching in splunk the time in "_time" is the time that i added the data.

for example:

02/02/2020
11:19:20.000    
44.204.160.84 - - [02/Feb/2020:23:55:40 +0200] "POST /posts/posts/explore HTTP/1.0"

so you can see that the date is correct but the time is not the same as in the event

update
i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000
138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000
217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

how can i fix it ?

thanks

richgalloway · ‎01-31-2020

Add TIME_FORMAT = %d/%b/%Y:%H:%M:%S %Z and change the TIME_PREFIX value to \[.

---
If this reply helps you, Karma would be appreciated.

sarit_s · ‎01-31-2020

it is not working.. now even the date is wrong :

02/02/2020
20:53:37.000    
146.145.47.30 - - [06/Feb/2020:20:34:28 +0200] "PUT /list HTTP/1.0"

also i noticed something strange :
this is the msg i got after the search completed :

5,000 events (before 31/01/2020 20:57:34.000)
but the results i got is from 2\2\2020 which is future date...

skalliger · ‎01-31-2020

Please show us your props.conf stanza with the according settings and maybe give us more than one sample event.

Skalli

sarit_s · ‎01-31-2020

[access_combined]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = 
disabled = false
TZ = UTC


02/02/2020
13:05:47.000    
25.90.196.46 - - [02/Feb/2020:23:58:19 +0200] "GET /explore HTTP/1.0"

to4kawa · ‎01-31-2020

TZ = UTC ? log is +0200.
please set TIME_FORMAT

p_gurav · ‎01-31-2020

Did you set any default timezone for your user? Also, check the system timezone.

sarit_s · ‎01-31-2020

yes, user's timezone set to Asia\Jerusalem

p_gurav · ‎01-31-2020

ok. and what is the indexer's timezone? Also, In props.conf put TZ= Asia/Jerusalem.

sarit_s · ‎01-31-2020

the indexer TZ is also Asia/Jerusalem
also, i changed it in props but it is not helping

i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000

138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000

217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

_time is wrong

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

_time is wrong

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future