Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem with dates

jjcorral
New Member
‎05-08-2012 07:27 AM

Hi.

I'm doing searches on the indexed events of the last minutes or hours, and I get no results.
I see that the problem is that Splunk is generating events in 2011, when today's events.
Where does this by taking that date? How I can make it work?
I attached a picture to see the failure.

alt text

Thanks in advance.
Kindest regards.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-08-2012 09:39 AM

Well, the problem is that it seems like Splunk mismatches the date portion by one position, i.e. your log has the format mm/dd/yy , but Splunk parses this wrong (uses the month for day and the year for month (if you have a en-US locale, hard to tell from the numbers))

Does this happen for all logs indexed by Splunk?
What is your system clock set to on the indexer? 2011?
What are the values for timestartpos and timeendpos for this particular event (you'll find them in the 'show all fields')?

You might have to specify this manually in props.conf, though I've never had to do that ever for winevt-logs.

[WinEventLog:Security]
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD = 20

Hope this helps,

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-09-2012 12:05 PM

Oooh that is OLD. Sorry, I cant remember all that happened since then.

Did you try the props.conf settings?

/k

0 Karma
Reply

jjcorral
New Member
‎05-09-2012 06:05 AM

Thanks four your answer.

I have and European date. dd/mm/yy

If the data comes from WinEventLog:Security fails, if comes from windows_snare_syslog it´s ok.

No, the clock on the indexer are sntp sync.

I have no timestartpos and timeendpos, my Splunk version is old. The 3.8.4, but i can´t migrate it.

Exactly it take thet date bad, today is (in european format) 09/05/2012 und splunk gets 09/12/11

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...