Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why don't timestamp and _time match in search?

brennson90
Path Finder
‎02-02-2023 11:29 PM

Hi,

i'm currently working on a props.conf and have different values from _time and the timestamp in my logs. What did i wrong? Thanks in advance.

2023-01-24T13:00:23+00:00 avx.local0.notice {"host":"xx-xx-xxxxx-xxxx-xxxxx-x-xx-000x-xxxxx-xxxx-xx.xxx.xxx.xxx","ident":"syslog","message":"xx:xx.xxxxxx+xx:xx xx-xx-xxxxxx-xxxx-xxxxxxx-x-xx-xxxx-xxxxx-hagw-xx.xxxx.xxx.xxxx

From Splunk search the values are the following:

timestamp: 2023-01-24T13:00:19.141113233, _time: 2023-01-24T14:00:23.000+01:00
My props.conf is the following:

[s3:Test]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 26
TRUNCATE = 10000
SHOULD_LINEMERGE = false

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2023 11:38 PM

Hi @brennson90,

probably the issue is the wrong timezone identifier, you should use %:z

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z

as you can read at https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

brennson90
Path Finder
‎02-02-2023 11:48 PM

Thank you Giuseppe.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2023 11:51 PM

Hi @brennson90,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2023 11:38 PM

Hi @brennson90,

probably the issue is the wrong timezone identifier, you should use %:z

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%:z

as you can read at https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...