Solved: Why don't timestamp and _time match in search?

brennson90 · ‎02-02-2023

Hi,

i'm currently working on a props.conf and have different values from _time and the timestamp in my logs. What did i wrong? Thanks in advance.

2023-01-24T13:00:23+00:00 avx.local0.notice {"host":"xx-xx-xxxxx-xxxx-xxxxx-x-xx-000x-xxxxx-xxxx-xx.xxx.xxx.xxx","ident":"syslog","message":"xx:xx.xxxxxx+xx:xx xx-xx-xxxxxx-xxxx-xxxxxxx-x-xx-xxxx-xxxxx-hagw-xx.xxxx.xxx.xxxx

From Splunk search the values are the following:

timestamp: 2023-01-24T13:00:19.141113233, _time: 2023-01-24T14:00:23.000+01:00
My props.conf is the following:

[s3:Test]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 26
TRUNCATE = 10000
SHOULD_LINEMERGE = false

gcusello · ‎02-02-2023

Hi @brennson90,

probably the issue is the wrong timezone identifier, you should use %:z

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z

as you can read at https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables

Ciao.

Giuseppe

View solution in original post

brennson90 · ‎02-02-2023

Thank you Giuseppe.

gcusello · ‎02-02-2023

Hi @brennson90,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎02-02-2023

Hi @brennson90,

probably the issue is the wrong timezone identifier, you should use %:z

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z

as you can read at https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables

Ciao.

Giuseppe

Why don't timestamp and _time match in search?

field extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life