Splunk Enterprise
Highlighted

Discrepancy in time extraction

Path Finder

Need some help in understanding how the _time, timestamp default fields are extracted. Raw event as mentioned below and the field values extracted for respective event is as mentioned below. As can clearly be seen  I dont see anything that could relate to the value extracted in _time field. Any pointer related to this would be much helpful.

Fields extracted:

@timestamp                                                    |      _time                             |  timestamp
2020-06-22T15:17:34.892576+00:00 | 2020-06-17 17:54:50 | 2020-06-23 01:17:34.888

Raw event:

=========

{"docker":{"container_id":"c0cb3bd3563f5f01133bcc496479b77b6c72bf898f24612ad7634b50a1749301"},"test":{"container_name":"anything","namespace_name":"test10-project","pod_name":"anything-1-w44fj","pod_id":"9289218b-b1cc-11ea-abcd-005056a44ead","labels":{"app":"anything","deployment":"anything-1","deploymentconfig":"anything"},"host":"ost-clb-osp-app-c02.linux.ostravam.corp.telstra.com","master_url":"https://test.default.svc.cluster.local","namespace_id":"0fbe0d11-cade-11e9-a562-005056a44ead"},"mess... 01:17:34.888 DEBUG --- [nio-8090-exec-5] o.s.web.servlet.DispatcherServlet : GET \"/healthcheck\", parameters={}\n","level":"info","hostname":"xxxxxxxxxxxxx","pipeline_metadata":{"collector":{"ipaddr4":"10.130.5.172","ipaddr6":"fe80::823:d3ff:fe3f:bf2d","inputname":"fluent-plugin-systemd","name":"fluentd","received_at":"2020-06-22T15:17:35.076698+00:00","version":"0.12.43 1.6.0"}},"@timestamp":"2020-06-22T15:17:34.892576+00:00","viaq_index_name":"project.test10-project.0fbe0d11-cade-11e9-a562-005056a44ead.2020.06.22","viaq_msg_id":"YzY0NWI1ZGItMjc5Ni00YWI2LWI4OWUtMWZkODU1NTRlNjdj","forwarded_by":"standalone-fluentd-splunk.openshift-logging.svc.cluster.local","source_component":"testsource"}

Labels (1)
0 Karma
Highlighted

Re: Discrepancy in time extraction

SplunkTrust
SplunkTrust

By default, Splunk will look in the first 128 characters of an event to find something that looks like a timestamp.  It can be in one of many forms (see datetime.xml), even a 10-digit number.  See https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/HowSplunkextractstimestamps#How_Splunk_softw... for more information.

This shows why it is a Best Practice to always specify TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD for all sourctypes.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.