Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- timestamps are different in original log and splun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timestamps are different in original log and splunk events
Hi,
My sample log which I've loaded in splunk.
[9/12/13 12:42:44:988 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:20:410 EDT] 000000d1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:28:191 EDT] 0000010a SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:37:347 EDT] 000000de ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:37:722 EDT] 000000ce SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:38:066 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:44:50:846 EDT] 000000de SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:45:02:315 EDT] 000000e1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:56:189 EDT] 0000010a ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:57:673 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed
but the splunk shows different timestamps in splunk
9/11/13
7:21:14.400 PM
[9/12/13 12:42:44:988 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:20:410 EDT] 000000d1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:28:191 EDT] 0000010a SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:37:347 EDT] 000000de ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:43:37:722 EDT] 000000ce SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:43:38:066 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:44:50:846 EDT] 000000de SRTServletRes W WARNING: Cannot set header. Response already committed.
[9/12/13 12:45:02:315 EDT] 000000e1 ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:56:189 EDT] 0000010a ColleagueFact I com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl getColleagueByLogonId Inside : com.marsh.coreentity.impl.colleague.ColleagueFactoryImpl.getColleagueByLogonId(String)
[9/12/13 12:45:57:673 EDT] 000000e1 SRTServletRes W WARNING: Cannot set header. Response already committed.
As you can see it shows 9/11/13 7:21:14.400 PM for all these events, the same thing is happening for rest of the entries. Can anyone tell me what's going wrong? and how can I resolve this?
Pradi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it's because of your timezone in Splunk system configuration. Also you can try to access splunk with the url en-GB instead of en-US
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk user default timezone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the upper and the lower lock the same?
Have you checked your Splunk user timezone settings?
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
