Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Event Log time and Indexed time different?

Atchyuth_P
Path Finder
‎08-03-2022 06:54 PM

hi,

Please check with below screenshot

Atchyuth_P_1-1659577705527.png

The indexed time and event log time both are different. Kindly let me know the solution to fix this error.

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

wapese3400
Loves-to-Learn
‎08-05-2022 09:07 AM

DSCN0012.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 11:43 PM

Hi @Atchyuth_P,

this means thet there's a parsing error.

Could your share a sample of your logs to find the correct configuration?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:40 PM

Hi @gcusello 

Please check the below screenshot for reference.

Atchyuth_P_0-1659666952599.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds 

Atchyuth_P_1-1659667143760.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 06:57 AM

Hi @Atchyuth_P,

anyway, please try in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^\d+\.\d+\.\d+\.\d+\s+w\s+\w+\s+\[
TIME_FORMAT = %Y-%m-%d \s+\H:|M:|S.%6N
MAX_TIMESTAMP_LOOKAHEAD = 26

This props.conf must be located on Indexers or (if present) On Heavy Forwarders.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-05-2022 12:56 AM

Hi @Atchyuth_P,

please share your logs as text in the "Insert/Edit Code Sample" otherwise I cannot use them.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:36 PM

Hello,

You will need to provide timestamp extraction settings to correctly identify that time stamp, if none of the pre trained source types are picking it up.

I suggest you try to add that data using different sourcetypes in the data preview tool, to see which on extracts your time stamp, then use that setting in your own sourcetype settings.

https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/HowSplunkextractstimestamps

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#Timestamp_extraction_configuratio...

Reply
Solved! Jump to solution

Atchyuth_P
Path Finder
‎08-04-2022 07:46 PM

Hi @chaker 

 

Thank you so much. I have learned a lot about Splunk while watching your videos and those helped me to shift my career transition.

Please check the below screenshot for reference.

Atchyuth_P_1-1659667441524.png

I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds

Atchyuth_P_2-1659667567922.png

I have tried with the TZ setting but was unable to solve it.

Please help

 

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎08-03-2022 08:39 PM

This may help you.

https://www.youtube.com/watch?v=Q5EWCT79nZ4

Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...