Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I'm trying to determine if by date_time stamps if we are getting the logs we should be getting

clunde
New Member
‎08-28-2020 08:33 AM

Hello,

I'm trying to determine if we are getting all the TrendMicro logs by comparing what's in Splunk and what's in Trend. There are 2 date/time stamps in the Splunk logs which I assume 1 is the actual event date/time and the other is the Splunk index date/time. 

I've ran the following 2 searches which return the same date_time stamps but I would expect to be different since the 2 date/times are different.

Times:

Aug 28 11:18:43 x.x.x.x Aug 28 15:12:19

index=trendmicro | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q %Z")

2020-08-28T11:18:43.000 EDT

index=trendmicro | eval mytime=strftime(_indextime,"%Y-%m-%dT%H:%M:%S.%Q %Z")

2020-08-28T11:18:43.000 EDT

How can I pull/report on both of these fields with both of the date_time stamps so we can determine we are getting all logs as well as if the indexer(s) are under resourced?

Labels (3)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-28-2020 08:41 AM

Hi

_time is (usually) when event is originally created on source system.

_indextime is when event is ingested to splunk and written to splunk index.

Usually those two should be quite similar (difference some seconds), but if there are some issues to collect and deliver events to splunk there could be long difference between those.

Another reason for that is wrongly configured TZ (time zone) information and/or your equipment don't use same time source to sync their time (ntp is suitable for that).

You could put those to report just like you already show in your guestion. Just use different names for those.

Best and easiest way to solve why there are difference between those is take MC (monitoring console) into use and look e.g. Settings -> MC -> Indexing -> performance is there any bottle necks sawn.

There are lot of other questions about this issue and also excellent .conf presentations how to solve this which you could found by using google. 

r. Ismo

0 Karma
Reply

clunde
New Member
‎08-28-2020 09:29 AM

Thank you for the information!

Do you know if the first time stamp is the _time or if it's the _indextime?

 

Thank you!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-28-2020 09:35 AM

Usually the earlier timestamp is the event's creation time and the second one indexing time. Of course if your event ( source system) has wrong timezone then it could be otherwise.

Have you raw event and props.conf (/transforms.conf) where we could try to figure it out?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...