Splunk Search

postfix_syslog time extraction inaccuracies


We seem to be having an issue with the postfix_syslog sourcetype (that came as a default sourcetype in Splunk) and its date extractions.

I posted this at 8:20am on 9/29, and did a search of events that take place between 15:00 and 23:59 on 9/29 and come back with the following results.

As you can see, the date_hour is set up as 18 on one of these events, which translates to 6pm, but the original event actually took place at 5am.

I am not overriding any of the default postfix_syslog stuff, and these events are getting sourcetyped properly, as shown below.

TIME_FORMAT = %b %d %H:%M:%S

According to the docs, %H is the 24 hour time, even though Splunk seems to believe it is not.

Any help is appreciated. Thanks,

--adam (EDIT) This is Splunk 4.1.4, data is coming in with syslog-ng. alt text

0 Karma

Super Champion

One more possibly helpful resource:

0 Karma

Splunk Employee
Splunk Employee

Seems likely that you have some conflicting configuration. Splunk does not appear to be looking at your event timestamps at all, but using CURRENT or the file modification time. This may be because of changes or redefinitions of DATETIME_CONFIG or the file it points to. Probably using btool http://www.splunk.com/base/Documentation/4.1.5/Admin/Troubleshootingconfigurations may help show if this is so, of if there are other configurations conflicting (e.g., both source:: and host:: configurations will override sourcetype props.conf configurations.)

Super Champion

I agree, a rogue DATETIME_CONFIG = CURRENT entry does seem to be the most logical explication for what's going on here.

0 Karma


Check to make sure that there isn't another rule overriding TIME_FORMAT or other timestamping options. If you have conflicting entries in props.conf, configuration settings applied to [host::myhost] or '[source::mysource] will take precedence over those applied to the sourcetype.

If that isn't the problem, then more information is always helpful, such as:

  • How are you bringing the syslog data in? (Looks like syslog-ng?)
  • How is the input configured in inputs.conf?
  • 0 Karma

    Super Champion

    That's very weird. Some additional details may help. Please "edit" your post and provide: The version of splunk you are running. Have you ever made any changes to datetime.xml? Does the syslog host contain any digits it or is it an IP address?

    0 Karma
    Get Updates on the Splunk Community!

    Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

    Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

    Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

    We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...