Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

postfix_syslog time extraction inaccuracies

adamw
Communicator
‎09-29-2010 12:22 PM

We seem to be having an issue with the postfix_syslog sourcetype (that came as a default sourcetype in Splunk) and its date extractions.

I posted this at 8:20am on 9/29, and did a search of events that take place between 15:00 and 23:59 on 9/29 and come back with the following results.

As you can see, the date_hour is set up as 18 on one of these events, which translates to 6pm, but the original event actually took place at 5am.

I am not overriding any of the default postfix_syslog stuff, and these events are getting sourcetyped properly, as shown below.

[postfix_syslog]
TIME_FORMAT = %b %d %H:%M:%S

According to the docs, %H is the 24 hour time, even though Splunk seems to believe it is not.

Any help is appreciated. Thanks,

--adam (EDIT) This is Splunk 4.1.4, data is coming in with syslog-ng. alt text

0 Karma
Reply

Lowell
Super Champion
‎09-30-2010 01:55 PM

One more possibly helpful resource:

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 04:25 AM

Seems likely that you have some conflicting configuration. Splunk does not appear to be looking at your event timestamps at all, but using CURRENT or the file modification time. This may be because of changes or redefinitions of DATETIME_CONFIG or the file it points to. Probably using btool http://www.splunk.com/base/Documentation/4.1.5/Admin/Troubleshootingconfigurations may help show if this is so, of if there are other configurations conflicting (e.g., both source:: and host:: configurations will override sourcetype props.conf configurations.)

Reply

Lowell
Super Champion
‎09-30-2010 02:09 PM

I agree, a rogue DATETIME_CONFIG = CURRENT entry does seem to be the most logical explication for what's going on here.

0 Karma
Reply

southeringtonp
Motivator
‎09-29-2010 11:06 PM

Check to make sure that there isn't another rule overriding TIME_FORMAT or other timestamping options. If you have conflicting entries in props.conf, configuration settings applied to [host::myhost] or '[source::mysource] will take precedence over those applied to the sourcetype.

If that isn't the problem, then more information is always helpful, such as:

  • How are you bringing the syslog data in? (Looks like syslog-ng?)

  • How is the input configured in inputs.conf?

    • 0 Karma
    Reply

    Lowell
    Super Champion
    ‎09-29-2010 10:35 PM

    That's very weird. Some additional details may help. Please "edit" your post and provide: The version of splunk you are running. Have you ever made any changes to datetime.xml? Does the syslog host contain any digits it or is it an IP address?

    0 Karma
    Reply
    Get Updates on the Splunk Community!

    Enterprise Security Content Update (ESCU) | New Releases

    In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

    Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

    (This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

    Index This | What are the 12 Days of Splunk-mas?

    December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...