Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Correcting ingesting timestamp for Solarwinds alert

tstewart
Explorer
‎04-02-2026 09:28 AM

Hello,

I recently enabled a SolarWinds alert in the inputs.conf on the heavy forwarder. The data is now ingesting into Splunk, but the timestamps are appearing in UTC instead of local time. The interval is set to 899. All other SolarWinds alerts ingesting into Splunk are showing the correct local time, so this issue seems isolated to the newly enabled alert. Any guidance on what might cause this specific alert to default to UTC—whether related to the alert configuration, timestamp parsing, or a missing props/transforms setting—would be appreciated.

 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tstewart
Explorer
a month ago
Thank you! Adding the TIME_PREFIX and TIME_FORMAT fixed the issue. I also added the MAX_TIMESTAMP_LOOKAHEAD and TZ as well.

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
a month ago

for current and future learners reference, i would like to post the Splunk's "Magic 8"

https://kinneygroup.com/blog/splunk-magic-8-props-conf/

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a month ago

Apart from all the things already mentioned by @richgalloway , check the contents of the event itself and compare to the other - "working" - events. Do the timestamps in those alert contain timestamps in the same timezone? Are they formatted the same way? Are they even extracted and used properly by Splunk or is the ingestion time used instead?

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2026 08:13 AM

Check the props.conf settings for the sourcetype ingested by the inputs.conf entry.  Chances are the time parsing settings are incorrect.  Verify the TIME_FORMAT and TIME_PREFIX settings in particular.  You may need to add a TZ setting.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

tstewart
Explorer
a month ago
Thank you! Adding the TIME_PREFIX and TIME_FORMAT fixed the issue. I also added the MAX_TIMESTAMP_LOOKAHEAD and TZ as well.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...