timestamps are different in original log and splun...

prad18 · ‎01-28-2014

Hi,

My sample log which I've loaded in splunk.

[9/12/13 12:42:44:988 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.

[9/12/13 12:43:20:410 EDT] 000000d1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)

[9/12/13 12:43:28:191 EDT] 0000010a SRTServletRes W WARNING: Cannot set header. Response already committed.

[9/12/13 12:43:37:347 EDT] 000000de ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)

[9/12/13 12:43:37:722 EDT] 000000ce SRTServletRes W WARNING: Cannot set header. Response already committed.

[9/12/13 12:43:38:066 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.

[9/12/13 12:44:50:846 EDT] 000000de SRTServletRes W WARNING: Cannot set header. Response already committed.

[9/12/13 12:45:02:315 EDT] 000000e1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)

[9/12/13 12:45:56:189 EDT] 0000010a ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:57:673 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed

but the splunk shows different timestamps in splunk

9/11/13
7:21:14.400 PM

[9/12/13 12:42:44:988 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:20:410 EDT] 000000d1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:28:191 EDT] 0000010a SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:37:347 EDT] 000000de ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:37:722 EDT] 000000ce SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:38:066 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:44:50:846 EDT] 000000de SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:45:02:315 EDT] 000000e1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:56:189 EDT] 0000010a ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:57:673 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.

As you can see it shows 9/11/13 7:21:14.400 PM for all these events, the same thing is happening for rest of the entries. Can anyone tell me what's going wrong? and how can I resolve this?

Pradi

ddarmand · ‎01-28-2014

I think it's because of your timezone in Splunk system configuration. Also you can try to access splunk with the url en-GB instead of en-US

lukejadamec · ‎01-28-2014

Splunk user default timezone.

MuS · ‎01-28-2014

the upper and the lower lock the same?
Have you checked your Splunk user timezone settings?

timestamps are different in original log and splunk events

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform