can anyone help me in telling why i am getting time difference between _time and indextime?
the logs are sent via syslog from source and it is in CEF format.
<Apr 9 02:00:01> <syslog- server name> <02: 00:01, 371> ERROR [EventLogManager] Udated logs Successfully CEF:|<cefVersion>|<vendor>|<product>|<version>|<id>|<id desc>|<severity id>|start=Apr 09 2020 01:00:01 end=Apr 09 2020 01:00:01 <............log msg>
as my logs are getting written in a file path, have written inputs.conf and stored in forwarder which is pushed via deployment server:
[monitor:///<path>]
disabled=<>
sourcetype=<>
index=<>
in props.conf
[<sourcetype>]
TIME_PREFIX= \send\=
TIME_FORMAT= %b %d %Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ= GMT
props. conf is placed in my SH and Indexer
I am getting 1 hour time difference. the logs are getting generated in GMT timezone.
Let me know if any further details required
Thank You !
Hi
it seems that your syslog event haven’t timezone (especially summertime) information included. The best option is try to get added that information to syslog event. Otherwise you need to update summertime information twice a year.
r. Ism
@chaitali_1994 Please provide a screenshot from the Splunk search showing the actual event vs the time extracted. Also are the events going from UF ---> IDX(C) or UF ---> HF ---> IDX(C)
unfortunately i cannot provide the screenshot of the Splunk search.
the data is sent from source server via syslog to UF --> IDX
@chaitali_1994 no worries.
If the time signature is this: Apr 9 02:00:01,
than your props needs to be modified to include this:
TIME_FORMAT= %b %d %H:%M:%S
apart from that the rest appears fine.
I am trying to capture end time as TIME_PREFIX, so even if i change the TIMESTAMP, will it take? I am confused here
@chaitali_1994 that makes it clear, I did not understand that regex.
props.conf
TIME_PREFIX = end=
MAX_TIMESTAMP_LOOKAHEAD = 100 [or the furtherest the "end" timestamp is at, you've currently set it to 20, so it is only look 20 characters ahead]
TIME_FORMAT = %b %d %Y %H:%M:%S
TZ = GMT
so in TIME_PREFIX i should use "end=" instead of \send\="
And I have tried with MAX_TIMESTAMP_LOOKAHEAD= 22 still it didn't work. Let me try with changing the TIME_PREFIX= end=
Sorry that I missed the 2nd and 3rd timestamps on your event. You could take it from start= or end= positions. But you must count from the start of event in which position those timestamps ends and probably add something to this sum for ensure that it always cover the whole timestamp. Then change this total sum to MAX_TIMESTAMP_LOOKAHEAD
r. Ismo
@chaitali_1994 your MAX_TIMESTAMP_LOOKAHEAD value needs to be at least, 230.
The way that value works, is from the beginning of the event it will continue to validate the regex in TIME_PREFIX value.
In your example, <Apr 9 02:00:01> <syslog- server name> <02: 00:01, 371> ERROR [EventLogManager] Udated logs Successfully CEF:|<cefVersion>|<vendor>|<product>|<version>|<id>|<id desc>|<severity id>|start=Apr 09 2020 01:00:01 end=Apr 09 2020 01:00:01
The TIME_PREFIX = end= is 214, characters from the beginning of the string.
This is after you've anonymised the data.
So the value of 22 is not going to meet the criteria in any scenario.
The best way forward, is to copy some of the large event into a text editor or word and check how many character are there prior to the timestamp "end=<timestamp>" and set the MAX_TIMESTAMP_LOOKAHEAD value to the MAXIMUM value you get