Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

splunk _time not matching with timestamp

nawazns5038
Builder
‎01-22-2018 02:23 PM

Hi,

the log has timestamp like this "time":"2018-01-22 13:43:40.0"

props.conf :
TIME_FORMAT = %F %T.%3N
TIME_PREFIX = "time":\"
MAX_TIMESTAMP_LOOKAHEAD = 25

that was the props conf used. The setting worked fine while testing. After indexing the data the timestamp shown in Splunk or _time has come upto "11/28/17 4:06:53.568 PM" . which is even no where present in the event.

How can this be resolved. Please help.

0 Karma
Reply

nickhills
Ultra Champion
‎01-23-2018 12:52 PM

Are the events 'breaking' properly? Ie, one valid json block per event?
Also is it aws generated data (s3/cloudwatch logs) etc, or your own log data?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nawazns5038
Builder
‎01-23-2018 03:22 PM

Ya breaking is proper and props has been tested with the sample data as well. It is only one Json block.
Data is pulled from S3 buckets and it is not AWS default data . and it is pulling lots of .gz files which has json files in it
Is it a problem related to the Addon ?

0 Karma
Reply

micahkemp
Champion
‎01-22-2018 08:08 PM

Can you paste the full _raw of the event in question? Sometimes there are multiple instances of timestamps on one message, which can confuse Splunk.

0 Karma
Reply

nawazns5038
Builder
‎01-23-2018 12:36 PM

@p_gaurav

There is only time field and all the events are of the same format...Some are taking the correct value and some are not even in the range or just picking up some random timestamp which is not even present in the event
The data is being sent from S3 input from AWS addon

0 Karma
Reply

p_gurav
Champion
‎01-23-2018 11:07 PM

Can you check _internal logs for particular S3 input? Is there any timestamp related warning or error?

0 Karma
Reply

nawazns5038
Builder
‎01-23-2018 12:21 PM

It's really strange ... "time":"2018-01-21 05:42:34.0"
There is only time field and all the events are of the same format...Some are taking the correct value and some are not even in the range or just picking up some random timestamp which is not even present in the event
The data is being sent from S3 input from AWS addon

0 Karma
Reply

p_gurav
Champion
‎01-22-2018 08:18 PM

Hi nawazns5038,
Could you please provide sample events? Also in TIME_PREFIX try changing rex to \"time\"\:\"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...