×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ej_head
Engager
Member since: ‎07-26-2011
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎07-26-2011
Activity Feed
View All

Why are we getting two different timestamps in one...

by in Getting Data In
‎10-14-2014 02:06 AM
1 Karma
‎10-14-2014 02:06 AM
1 Karma
I collect syslog from Cisco devices, splunk shows two different timestamps in one event: Oct 14 14:59:01 x.x.x.x 282814: Oct 14 14:49:54.254: %IP_VFR-4-FRAG_TABLE_OVERFLOW: GigabitEthernet0/0.214: the fragment table has reached its maximum threshold 16 Oct 14 14:59:59 x.x.x.x 282822: Oct 14 14:50:29.078: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down If i restart splunk, difference between timestamps will be about 1 minute, then it became more, on some devices i saw difference about couple hours. Events apear at Splunk much later than on device. First i thought that first timestamp is time of receiving event, but on another syslog server this time not more than 5 seconds. What is the first timestamp? And what about this latency? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All