Splunk Search

Time Stamp Help!

kc_prane
Communicator


Hello, I have time stamps that are not matching. How do I table the actual "Event log time stamp" ?

 

Splunk Time stampEvent log time stamp
8/14/24
4:29:21.000 AM


2024-08-13 17:49:23,006 [https-mmme-nio-1111-exec-2] ERROR

Labels (1)
Tags (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Hi  @isoutamo,  The below is the raw event. I dont have access to props.conf. so just wanted to extract

You do not need direct access to props.conf.  Just use Splunk Web's Settings -> Source Types interface.  There are two menus where you can customize your timestamp handling, Timestamp and Advanced.

sourcetype-timestamp.png

sourcetype-advanced.png

As @isoutamo says, your problem might not be in Splunk's time extraction; instead, the apparent difference could be in time zone.  If this is not the case, the best cause of action is to correct time extraction.  Search time correction should only be used as the last resort.  It can be done, of course.

| rex "^(?<timestamp>\S+ \S+)"
| eval _time = strptime(timestamp, "%F %T,%3N")

The big problem with search time adjustment of an essential datapoint such as _time is that you lose precision when trying to set index search interval.

View solution in original post

Tags (1)

marnall
Motivator

I indexed this log in a new sourcetype on a test machine in the GMT+2 timezone, and the timestamp seems to have extracted properly. We would need to know what your timestamp settings in props.conf are to find out where the timestamp extraction is going wrong.

marnall_0-1723667418941.png

 

isoutamo
SplunkTrust
SplunkTrust

What you have on raw event and how you have define timestamp extraction on props.conf?

0 Karma

kc_prane
Communicator

Hi  @isoutamo,  The below is the raw event. I dont have access to props.conf. so just wanted to extract the time stamp from the raw event.

2024-08-13 17:49:23,006 [https-mmme-nio-1111-exec-2] ERROR

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Hi  @isoutamo,  The below is the raw event. I dont have access to props.conf. so just wanted to extract

You do not need direct access to props.conf.  Just use Splunk Web's Settings -> Source Types interface.  There are two menus where you can customize your timestamp handling, Timestamp and Advanced.

sourcetype-timestamp.png

sourcetype-advanced.png

As @isoutamo says, your problem might not be in Splunk's time extraction; instead, the apparent difference could be in time zone.  If this is not the case, the best cause of action is to correct time extraction.  Search time correction should only be used as the last resort.  It can be done, of course.

| rex "^(?<timestamp>\S+ \S+)"
| eval _time = strptime(timestamp, "%F %T,%3N")

The big problem with search time adjustment of an essential datapoint such as _time is that you lose precision when trying to set index search interval.

Tags (1)

isoutamo
SplunkTrust
SplunkTrust

There seems to be probably TZ issue with some other issues with your ingestion phase. If I recall right TZ are +/- 1h or x.5h difference with local time and UTC time. But your time difference didn’t match that.

You must get your correct props.conf and also raw source event before it was ingested into splunk. With those we could help you.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...