IT Operations Discussions
All the up-time. All the nines.

Timestamp field not working as expected

akpadhi
Engager

I have a usecase where my log files have timestamps in various timezones, and I want to generate alerts based on the indexed time(MST). I tried using DATE_CONFIG=NONE, TZ=<> in props, however its not working as expected and search is not recognizing the event as latest. Also, the dedup doesnt work as multiple indexers in cluster are assigning different indexed time. 

 

(index="idx1") | eval _time = _indextime | convert ctime(_indextime) as Timestamp | sort _time desc | dedup _time consecutive=true

0 Karma

akpadhi
Engager

Hi @richgalloway the problem is our log file entries do not have timezone attribute. Even with above search query, if a entry comes ahead of index timezone, its not getting picked up by my search condition.

For eg: current time in MST(Arizona) - 13:30 MST, log entry created something like this:

11/13/2020 17:20:26 ABC_123 Process failed

Indexed time for above is: 13:30, I want this event to be picked up in search condition. tried with TZ=<> attribute, it didnt work either.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you considered using DATETIME_CONFIG = CURRENT?  That will assign the current time to events as they arrive so everything will in the local time zone.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the log file timestamps have time zone information then you just need to adjust your props to recognize it.

If the files are read by universal forwarders then you can put the TZ attribute on the UF so Splunk knows what the time zone really is.

Working with _indextime can be tricky.  I've found it best to assign _indextime to a new field and use that, instead.

(index="idx1") | eval itime = _indextime | convert ctime(itime) as Timestamp | sort itime desc | dedup itime consecutive=true
---
If this reply helps you, an upvote would be appreciated.
0 Karma