Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Am I Seeing Events In The Future And How Do I Stop It

OgoNARA
Explorer
‎10-11-2024 05:53 AM

Hi Guys,

 

I hope someone can help me out or give me a pointer here. When  I run my searches I always get events in the future. I usually fix the time picker so it stops it but afterwards, I have to place the events in order and it's just adding a step for every search I make. Is there a way I can implement some type of SPL to make sure that I only get dates in the current time instead of the future?

 

 

OgoNARA_0-1728651120224.png

OgoNARA_2-1728651157799.png

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:06 AM

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-11-2024 06:09 AM

Could this just be from different timezones and/or UTC?

Can you provide examples of raw events, their _time timestamp (as set when they were indexed) and their _indextime to see if that's where the difference is coming from?

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:06 AM

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:42 AM

Hi @OgoNARA ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...