Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk assigning the wrong date for my firewall logs when it used to record dates accurately before?

yschiff
New Member
‎09-29-2015 02:13 PM

For some reason, Splunk is misreading the data from my firewall logs. The events clearly show the correct date and time, but Splunk is for some reason interpreting the date incorrectly. For example, in my screenshot is an event which shows occurring on 9/29/2015. However, Splunk is recording it as 9/28/2015. I'm not entirely sure when this started happening. Splunk used to record the dates accurately.

Thanks.

alt text

Preview file
1 KB
0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎06-01-2016 02:03 PM

it looks like a timezone issue
If your firewall is logging in local time and the timezone is not in the log, then splunk will thinks it is UTC. you can tell splunk which timezone it is by setting TZ= in props.conf (can do it by source for example)

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎06-01-2016 01:39 PM

any chance of this being a time-zone issue? Perhaps check to see whether the splunk account profile you're using has a different timezone setting than the firewall system.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...