- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Indexed with 1 year late
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexed with 1 year late
Hello
I wonder if anyone would have happened.
I have a DB of the "main" where indexed logs of 4 teams. And one of them has problems with indexing date.
At this point I figure it is 1 year late
1/31/13 11:09:42.000 PM
To which may be due?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It is possible splunk is confused with the event's timestamp data.
Feb 1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]
out of which splunk is be taking
09:32:28 192.168.1.13 Feb 01
this part as the time stamp for the event, You can test a bit by changing inside the log itself from 192.168.1.13 to 192.168.1.14. Correct way would be to change your configuration in prop.conf to mention the time of event arrival or recognize the intended timestamp in actual events. As the 1st part of the time doesn't have a year i have taken the second half.
Feb 01 2014 09:32:51
props.conf
NO_BINARY_CHECK=1
TIME_FORMAT=%b %d %Y %H:%M:%S
TIME_PREFIX=\.\d+\s
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lukejadamec, the result of that search is as follows
Feb 1 10:14:38 192.168.1.13 Feb 01 2014 10:27:01: %ASA-6-302014: Teardown TCP connection 104897871 for OUTSIDE:190.12.82.197/80 to INSIDE:192.168.1.64/29684 duration 0:00:30 bytes 0 SYN Timeou
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The firewall log sourcetype looks for timestamp host. Your event shows partialTimestamp host timestamp.
Can you double check the event content by reviewing the _raw data?
search |table _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi linu. This is a log received from that computer, you can see that the firewall log sending is the date
Feb 1 09:32:28 192.168.1.13 Feb 01 2014 09:32:51: %ASA-4-106023: Deny tcp src INSIDE:192.168.15.54/37549 dst OUTSIDE:195.124.8.57/7735 by access-group "INSIDE_access_in" [0x0, 0x0]
But the Time field shows the splunk
2/1/13
9:32:28.000 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If some log is having the time mentioned above it will be automatically assigned to the event time stamp. What does the event contain? Could you elaborate more?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
