Time drift between logs and time column

sigma · ‎03-16-2024

Hi all,

I have installed and configured fortiweb for splunk app. The problem is that the time in the log is correct, but the time I receive in the Splunk time column is 7 hours different. It should be mentioned that there is a field in the logs called timezone_dayst that it differs from my time zone by exactly 7 hours.
I also added TZ = MyTimeZone to the props.conf of the app but problem still exists.

For example, in the image below, it can be seen that the time is equal to 8:37, while the log time is equal to 1:07, and of course timezone_dayst has a drift (-3:30 instead of +3:30).

Any ideas are appreciated.

marnall · ‎03-17-2024

I would recommend making the following checks:

1. The props.conf file is on the indexer machines
2. The props.conf file is readable by the splunk user
3. The TZ value in the props.conf file reflects the timezone of the logs
4. In your Splunk User Preferences in the webUI, your timezone is set to your current timezone

isoutamo · ‎03-18-2024

Hi

it's quite possible that your logs have issues in onboarding. It's probably take wrong timezone information from logs or actually cannot find it and for that reason it use some assumptions which seems to to incorrect.

Here https://splunk-usergroups.slack.com/files/U0483CQG4/F06PKREDNLW/masa.pdf is excellent picture/flow how data is ingested into splunk and where you should put different configuration options. It's new version of previous MASA diagram.

r. Ismo

Time drift between logs and time column

field extraction

heavy forwarder

indexer

other

props.conf

syslog

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms