Solved: Why does endEpoch field of dbinspect shows last ev...

murikadan · ‎12-28-2017

Hello splunkers,

This is probably some kind of expected behavior but I would still like to confirm. I noticed that dbinspect shows endEpoch time well into the future (some 12h into the future), when it actually is not (this is _internal index for one thing and I double checked date time in indexers and sh's).

endEpoch: The timestamp for the last event in the bucket, which is the time-edge of the bucket furthest towards the future. Is what dbinspect documentation says. Does that actually mean timestamp of last event that bucket can hold as opposed to the last event in the bucket currently ? Splunk version for indexers is 6.5.5 and sh's is 6.5.6

Thanks in advance

nickhills · ‎12-29-2017

This should only occur if you have events in that index with a future date - Have you tried looking in the relevant index for any events which have bad timestamps?

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎12-29-2017

This should only occur if you have events in that index with a future date - Have you tried looking in the relevant index for any events which have bad timestamps?

If my comment helps, please give it a thumbs up!

murikadan · ‎12-29-2017

hi, that was why I tried with _internal so that there wont be things like a bad time stamp extraction in the way and as mentioned in the question time and date in sh's and indexers are correct

nickhills · ‎12-29-2017

Thats normally true, but some modular inputs etc write logs to internal, and i have seen some pretty screwy errors.

What do you get from |tstats latest(_time) where index=_internal how does that timestamp compare with dbinspect?

If my comment helps, please give it a thumbs up!

murikadan · ‎12-29-2017

thanks for the tip. tstats also reported the event in future, but now I could easily look for host and source and they say where the problem is, it was from a forwarder:
|tstats latest(_time) where index=_internal host=my_fwd by source for All Time

It was indeed coming from modular inputs
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk-powershell.ps1.log

murikadan · ‎12-28-2017

This is not a timezone issue, epoch time itself is in future, some 12h
| dbinspect index=_internal state=hot | convert ctime(endEpoch) AS latestTime | sort - endEpoch | fields endEpoch, splunk_server

p_gurav · ‎12-28-2017

Hi murikadan,

Could you please check in user's general setting, which timezone is set? Is it system default or some custom timezone?

murikadan · ‎12-28-2017

Its not timezone, I will add that to question.

p_gurav · ‎12-28-2017

Hi,

I tried below search and its showing exact time as system time. But when i changed my timezone of user it add that much time in endEpoch.

Why does endEpoch field of dbinspect shows last event timestamp as way into the future when it actually appear not to be ?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout