Splunk Search

Why Am I Seeing Events In The Future And How Do I Stop It

OgoNARA
Explorer

Hi Guys,

 

I hope someone can help me out or give me a pointer here. When  I run my searches I always get events in the future. I usually fix the time picker so it stops it but afterwards, I have to place the events in order and it's just adding a step for every search I make. Is there a way I can implement some type of SPL to make sure that I only get dates in the current time instead of the future?

 

 

OgoNARA_0-1728651120224.png

OgoNARA_2-1728651157799.png

 

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Could this just be from different timezones and/or UTC?

Can you provide examples of raw events, their _time timestamp (as set when they were indexed) and their _indextime to see if that's where the difference is coming from?

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...