Re: difference in timezone

chaitali_1994 · ‎07-17-2020

can anyone help me in telling why i am getting time difference between _time and indextime?

the logs are sent via syslog from source and it is in CEF format.

as my logs are getting written in a file path, have written inputs.conf and stored in forwarder which is pushed via deployment server:

[monitor:///<path>]
disabled=<>
sourcetype=<>
index=<>

in props.conf

[<sourcetype>]
TIME_PREFIX= \send\=
TIME_FORMAT= %b %d %Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ= GMT

props. conf is placed in my SH and Indexer

I am getting 1 hour time difference. the logs are getting generated in GMT timezone.

Let me know if any further details required

Thank You !

isoutamo · ‎07-17-2020

Hi

it seems that your syslog event haven’t timezone (especially summertime) information included. The best option is try to get added that information to syslog event. Otherwise you need to update summertime information twice a year.
r. Ism

anmolpatel · ‎07-19-2020

@chaitali_1994 Please provide a screenshot from the Splunk search showing the actual event vs the time extracted. Also are the events going from UF ---> IDX(C) or UF ---> HF ---> IDX(C)

chaitali_1994 · ‎07-19-2020

unfortunately i cannot provide the screenshot of the Splunk search.

the data is sent from source server via syslog to UF --> IDX

anmolpatel · ‎07-19-2020

@chaitali_1994 no worries.

If the time signature is this: Apr 9 02:00:01,

than your props needs to be modified to include this:

TIME_FORMAT= %b %d %H:%M:%S

apart from that the rest appears fine.

chaitali_1994 · ‎07-20-2020

I am trying to capture end time as TIME_PREFIX, so even if i change the TIMESTAMP, will it take? I am confused here

anmolpatel · ‎07-20-2020

@chaitali_1994 that makes it clear, I did not understand that regex.

props.conf

TIME_PREFIX = end=
MAX_TIMESTAMP_LOOKAHEAD = 100 [or the furtherest the "end" timestamp is at, you've currently set it to 20, so it is only look 20 characters ahead]
TIME_FORMAT = %b %d %Y %H:%M:%S
TZ = GMT

chaitali_1994 · ‎07-20-2020

so in TIME_PREFIX i should use "end=" instead of \send\="

And I have tried with MAX_TIMESTAMP_LOOKAHEAD= 22 still it didn't work. Let me try with changing the TIME_PREFIX= end=

isoutamo · ‎07-20-2020

Sorry that I missed the 2nd and 3rd timestamps on your event. You could take it from start= or end= positions. But you must count from the start of event in which position those timestamps ends and probably add something to this sum for ensure that it always cover the whole timestamp. Then change this total sum to MAX_TIMESTAMP_LOOKAHEAD
r. Ismo

anmolpatel · ‎07-20-2020

@chaitali_1994 your MAX_TIMESTAMP_LOOKAHEAD value needs to be at least, 230.

The way that value works, is from the beginning of the event it will continue to validate the regex in TIME_PREFIX value.

The TIME_PREFIX = end= is 214, characters from the beginning of the string.

This is after you've anonymised the data.

So the value of 22 is not going to meet the criteria in any scenario.

The best way forward, is to copy some of the large event into a text editor or word and check how many character are there prior to the timestamp "end=<timestamp>" and set the MAX_TIMESTAMP_LOOKAHEAD value to the MAXIMUM value you get

difference in timezone

troubleshooting

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life