Hi-
There is an issue in my Splunk regading time and date of each events. Some events have year2017,year2018 in the timestamp.Please help
3/12/18
6:14:00.000 PM
LATEST UPDATE : Mar 12 18:14 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.659host=xxxxxx Options|
sourcetype=lptvpn-too_small Options|
source=/var/log/lptvpn.log Options|
index=prod Options|
timeendpos=28 Options|
timestartpos=16 Options
6/18/17
5:01:00.000 PM
LATEST UPDATE : Jun 18 17:01 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.869host=xxxxx Options|
sourcetype=lptvpn-too_small Options|
source=/var/log/lptvpn.log Options|
index=prod Options|
timeendpos=28 Options|
timestartpos=16 Options
3/20/17
5:58:00.000 PM
LATEST UPDATE : Mar 20 17:58 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.675host=xxxxxx Options|
sourcetype=lptvpn-too_small Options|
source=/var/log/lptvpn.log Options|
index=prod Options|
timeendpos=28 Options|
timestartpos=16 Options
3/19/17
5:46:00.000 PM
LATEST UPDATE : Mar 19 17:46 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.673host=xxxxx Options|
sourcetype=lptvpn-too_small Options|
source=/var/log/lptvpn.log Options|
index=prod Options|
timeendpos=28 Options|
timestartpos=16 Options
6/17/16
4:13:00.000 PM
LATEST UPDATE : Jun 17 16:13 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.867host=xxxxx Options|
sourcetype=lptvpn-too_small Options|
source=/var/log/lptvpn.log Options|
index=prod Options|
timeendpos=28 Options|
timestartpos=16 Options
i already figured out this one. The splunk gets the timestamp on input of the eventlogs itself. The timestamp show 2018-03-12 because the input of the logs includes Mar 12 18:14.It seems that the timestamps read the time 18:14 (6:14PM) as year 2018.
We need to see the inputs.conf
and props.conf
that you are using to read this file.
Below is the extract. As you can see, the time and date of my logs have had discrepancies ( 2017, 2018,2016) .Thanks
_raw _time date_hour date_mday date_minute date_month date_wday date_year date_zone
LATEST UPDATE : Mar 12 18:14 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.659 2018-03-12T18:14:00.000+1100 18 12 14 march monday 2018 660
LATEST UPDATE : Jun 18 17:01 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.869 2017-06-18T17:01:00.000+1000 17 18 1 june sunday 2017 600
LATEST UPDATE : Mar 20 17:58 LATEST ANTI-VIRUS DEFINITION : lpt$vpn.675 2017-03-20T17:58:00.000+1100 17 20 58 march monday 2017 660