IT Operations Discussions
All the up-time. All the nines.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestamp field not working as expected

akpadhi
Explorer
‎11-13-2020 10:48 AM

I have a usecase where my log files have timestamps in various timezones, and I want to generate alerts based on the indexed time(MST). I tried using DATE_CONFIG=NONE, TZ=<> in props, however its not working as expected and search is not recognizing the event as latest. Also, the dedup doesnt work as multiple indexers in cluster are assigning different indexed time. 

 

(index="idx1") | eval _time = _indextime | convert ctime(_indextime) as Timestamp | sort _time desc | dedup _time consecutive=true

0 Karma

akpadhi
Explorer
‎11-13-2020 12:33 PM

Hi @richgalloway the problem is our log file entries do not have timezone attribute. Even with above search query, if a entry comes ahead of index timezone, its not getting picked up by my search condition.

For eg: current time in MST(Arizona) - 13:30 MST, log entry created something like this:

11/13/2020 17:20:26 ABC_123 Process failed

Indexed time for above is: 13:30, I want this event to be picked up in search condition. tried with TZ=<> attribute, it didnt work either.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 01:45 PM

Have you considered using DATETIME_CONFIG = CURRENT?  That will assign the current time to events as they arrive so everything will in the local time zone.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 12:17 PM

If the log file timestamps have time zone information then you just need to adjust your props to recognize it.

If the files are read by universal forwarders then you can put the TZ attribute on the UF so Splunk knows what the time zone really is.

Working with _indextime can be tricky.  I've found it best to assign _indextime to a new field and use that, instead.

(index="idx1") | eval itime = _indextime | convert ctime(itime) as Timestamp | sort itime desc | dedup itime consecutive=true
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...