Splunk Search

Why Am I Seeing Events In The Future And How Do I Stop It

OgoNARA
Explorer

Hi Guys,

 

I hope someone can help me out or give me a pointer here. When  I run my searches I always get events in the future. I usually fix the time picker so it stops it but afterwards, I have to place the events in order and it's just adding a step for every search I make. Is there a way I can implement some type of SPL to make sure that I only get dates in the current time instead of the future?

 

 

OgoNARA_0-1728651120224.png

OgoNARA_2-1728651157799.png

 

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Could this just be from different timezones and/or UTC?

Can you provide examples of raw events, their _time timestamp (as set when they were indexed) and their _indextime to see if that's where the difference is coming from?

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @OgoNARA ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Get Updates on the Splunk Community!

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...