Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

time difference in log entries and interpreted by splunk

myli12
Path Finder
‎04-07-2011 07:07 PM

One example log entry is as follows:

1/20/11 4:13:55.000 AM

2002-01-01T00:02:44 127.0.0.1 Tue Jan 1 00:02:43 2002 : Error: rlm_eap: SSL error ...

"1/20/11 4:13:55.000 AM" is what splunk intreprets when plotting the event against timeline and displaying the event for review, and 2002-01-01 is what actually recorded in the log (the time is because of time reset due to power outage)

My question is how splunk gets the time and how to reconcile the difference?

Tags (1)
Reply

netwrkr
Communicator
‎04-07-2011 07:59 PM

I think because the time from the log file was too far in the past Splunk discards it and instead uses "index" time - that is the time the event was indexed. I seem to recall reading this in the docs from previous version but can no longer find such a reference. Here is a good article though that may help you understand things a bit better - http://www.splunk.com/base/Documentation/4.2/Data/HowSplunkextractstimestamps

[edit] - found the info here about timestamps in the past / future

http://www.splunk.com/base/Documentation/4.2/Data/Configuretimestamprecognition

MAX_DAYS_AGO =

Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid. For example, if MAX_DAYS_AGO = 10 then Splunk ignores dates older than 10 days from the current date. Default is 2000. Note: If you have data that is more than 2000 days old, increase this setting. MAX_DAYS_HENCE =

Specifies the maximum number of days in the future from the current date that an extracted date can be valid. For example, if MAX_DAYS_HENCE = 3, dates that are more than 3 days in the future are ignored. False positives are less likely with a tighter window. If your servers have the wrong date set or are in a timezone that is one day ahead, set this value to at least 3. Defaults to 2. This allows timestamp extractions that are up to a day in the future.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...