Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Events indexed in future when UTC timestamp rolls over

roller
New Member
‎08-27-2013 11:07 AM

Hello all,

I have been having some issues with Splunk indexing events from a particular log with a time in the future. I currently have a universal forwarder setup to push all logs in a particular directory to the Splunk indexer/server. The problem only occurs with one particular log with the following format:

23:45:43.992 - INFO [blah blah blah] - 20130827T034543Z|172.16.1.95|
23:45:44.015 - WARN [blah blah blah] - No login context available, unable to proceed

When the UTC time rolls over to the next day (ie 20130826T235959Z to 20130827T000000Z) the date on the index also changes and starts timestamping the events as happening at 8pm on the next day (we are EDT - both where the logs are coming from and where the indexer is). The time goes back to being indexed correctly once the UTC time hits 20130827T040000Z or basically the hour:minute:second time that is at the beginning of each log line hits 24hr.

I have tried configuring props.conf on the indexer to use only the long UTC string without luck.
Ive tried the following:

TIME_PREFIX = (\d{2}:\d{2}:\d{2}\.\d{3})
TIME_FORMAT = %Y%m%dT%H%M%SZ
TZ = US/Eastern

I think that part of the problem is that not all of the lines in this log have the UTC time string. If I try and pick up only on the time at the beginning, the index still gets thrown off after the UTC time rolls over.

There are separate logs from the same source with only the UTC string at the beginning of each line that have no problems. Only the one with the H:M:S at the beginning seem to have issues.

I hope that this is clear. If not, I can attempt to clarify more.

Thanks in advance,

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-27-2013 12:11 PM

well, I assume that the starting H:M:S.ms timestamp exists in all messages - and is correct. If that is the case, then both the TIME_FORMAT and TIME_PREFIX are wrong. 

[sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 15
TZ = US/Eastern

Normally you'd use the sourcetype as a base for your timestamp extraction, so if you monitor multiple logfiles in the same directory in the same stanza, you can only set one sourcetype for them all. So if timestamps differ between log files, this might not be correct.

If you could configure your logging to also include the date on each line, you'd be settled.

/K

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...