How do you find the difference of an hour in _time...

juhisaxena28 · ‎02-20-2019

We have logs being parsed in Splunk which have differences in _indextime and _time of an hour. Please advise how can an event have _indextime exact one hour lesser than _time.

index="splunk_test" |eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval diff= indextime-time | table time, indextime

time                                indextime
2019-02-11 01:33:28 2019-02-11 00:33:37
2019-02-11 01:23:28 2019-02-11 00:23:37
2019-02-11 01:22:49 2019-02-11 00:23:07
2019-02-11 01:12:08 2019-02-11 00:12:37
2019-02-11 01:07:48 2019-02-11 00:08:07
2019-02-11 01:05:24 2019-02-11 00:05:37
2019-02-11 01:05:01 2019-02-11 00:05:07
2019-02-11 01:02:39 2019-02-11 00:03:07

Sample data below:-

2/11/19
1:53:28.625 AM  
I0211 01:53:28.625849 13773 catalog-server.cc:241] Catalog Version: 4079 Last Catalog Version: 4079
host =  bda65node01.core.pimcocloud.net source =    /var/log/catalogd/catalogd.bda65node01.core.pimcocloud.net.impala.log.INFO.20190205-071323.12059 sourcetype =   imapalacatalogd
2/11/19
1:43:28.549 AM  
I0211 01:43:28.549252 13

Thanks

chrisyounger · ‎02-20-2019

The most common reason for this problem is that your sourcetype parsing does not have the correct TZ set. Alternatively the TIME_FORMAT might be incorrect. The TZ should be set on the indexer or the first heavy forwarder that the data is sent through.

Here is some more information: https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Applytimezoneoffsetstotimestamps

All the best

How do you find the difference of an hour in _time and _indextime in Splunk logs?

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup