Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk assigning the wrong date for my firewall logs when it used to record dates accurately before?

yschiff
New Member
‎09-29-2015 02:13 PM

For some reason, Splunk is misreading the data from my firewall logs. The events clearly show the correct date and time, but Splunk is for some reason interpreting the date incorrectly. For example, in my screenshot is an event which shows occurring on 9/29/2015. However, Splunk is recording it as 9/28/2015. I'm not entirely sure when this started happening. Splunk used to record the dates accurately.

Thanks.

alt text

Preview file
1 KB
0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎06-01-2016 02:03 PM

it looks like a timezone issue
If your firewall is logging in local time and the timezone is not in the log, then splunk will thinks it is UTC. you can tell splunk which timezone it is by setting TZ= in props.conf (can do it by source for example)

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎06-01-2016 01:39 PM

any chance of this being a time-zone issue? Perhaps check to see whether the splunk account profile you're using has a different timezone setting than the firewall system.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...