Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Am I Seeing Events In The Future And How Do I Stop It

OgoNARA
Explorer
‎10-11-2024 05:53 AM

Hi Guys,

 

I hope someone can help me out or give me a pointer here. When  I run my searches I always get events in the future. I usually fix the time picker so it stops it but afterwards, I have to place the events in order and it's just adding a step for every search I make. Is there a way I can implement some type of SPL to make sure that I only get dates in the current time instead of the future?

 

 

OgoNARA_0-1728651120224.png

OgoNARA_2-1728651157799.png

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:06 AM

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-11-2024 06:09 AM

Could this just be from different timezones and/or UTC?

Can you provide examples of raw events, their _time timestamp (as set when they were indexed) and their _indextime to see if that's where the difference is coming from?

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:06 AM

Hi @OgoNARA ,

the issue is probably related to a wrong timestamp parsing of your events:

your events probably are using the european format (dd/mm/yyyy) and you didn't defined this format in props.conf, but Splunk by default uses the american format (mm/dd/yyyy), so in the first twelve days of the month Splunk read a wrong timestsmp and you have some future events and also some past events.

How to solve it: add in the props.conf of these events the correct format in the TIME_PREFIX option.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

computermathguy
Path Finder
‎03-11-2025 08:33 AM

One of our timecharts showed "future" time (by one hour) on the x-axis.  Turns out the server time was off by one hour.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2024 06:42 AM

Hi @OgoNARA ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...