Splunk Search

How do you find the difference of an hour in _time and _indextime in Splunk logs?

juhisaxena28
Explorer

We have logs being parsed in Splunk which have differences in _indextime and _time of an hour. Please advise how can an event have _indextime exact one hour lesser than _time.

index="splunk_test" |eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval diff= indextime-time | table time, indextime

time                                indextime
2019-02-11 01:33:28 2019-02-11 00:33:37
2019-02-11 01:23:28 2019-02-11 00:23:37
2019-02-11 01:22:49 2019-02-11 00:23:07
2019-02-11 01:12:08 2019-02-11 00:12:37
2019-02-11 01:07:48 2019-02-11 00:08:07
2019-02-11 01:05:24 2019-02-11 00:05:37
2019-02-11 01:05:01 2019-02-11 00:05:07
2019-02-11 01:02:39 2019-02-11 00:03:07

Sample data below:-

2/11/19
1:53:28.625 AM  
I0211 01:53:28.625849 13773 catalog-server.cc:241] Catalog Version: 4079 Last Catalog Version: 4079
host =  bda65node01.core.pimcocloud.net source =    /var/log/catalogd/catalogd.bda65node01.core.pimcocloud.net.impala.log.INFO.20190205-071323.12059 sourcetype =   imapalacatalogd
2/11/19
1:43:28.549 AM  
I0211 01:43:28.549252 13

Thanks

Tags (2)
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

The most common reason for this problem is that your sourcetype parsing does not have the correct TZ set. Alternatively the TIME_FORMAT might be incorrect. The TZ should be set on the indexer or the first heavy forwarder that the data is sent through.

Here is some more information: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Applytimezoneoffsetstotimestamps

All the best

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...