Getting Data In

How to correct the future time stamp issue occurring for certain sourcetype and host?

Hemnaath
Motivator

Hi All, Currently we are facing an issue with data being logged with future time stamp for certain host and source type.

In our environment we have nearly 1000 windows UF agent installed to pull the data from the remote windows machine and it is parsed into 5 indexer instance to index the data from remote devices.

Out of 1000 Windows UF agent there are nearly 200 windows agents are logging with future time stamp with the source type = Script:ListeningPorts.

I have used the below query to identify the list of any log sources that are logging with future time stamps

I have used to this query to verify whether the host and source type are logging with future time stamp or not.

index=win_svrs host=test1 sourcetype=Script:ListeningPorts earliest=+5m latest=+20y
| where _indextime < _time
| eval indextime=strftime(_indextime, "%+")

Below is the partial configuration details :

My input stanza configured in all remote windows machine via Deployment server.

Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0

Run once per hour

interval = 3600
sourcetype = Script:ListeningPorts
index = win_svrs

Props.conf
[source::...win_listening_ports.bat]
sourcetype = Script:ListeningPorts

Data are parsed into all the indexer instance before indexing data into index.

Props.conf

Listening Ports
[Script:ListeningPorts]
SHOULD_LINEMERGE = false

Transforms.conf

Listening Ports
[dest_ip_for_listeningports]
REGEX = dest_ip=[(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
FORMAT = dest_ip::$1

[kv_for_listeningports]
DELIMS = " ", "="

I am not sure how its working for other 800 servers with the correct time stamp with the same sourcetype and only for 200 servers we could see future time stamp.

Kindly guide me know how to correct the future time stamp issue for 200 servers.

Tags (1)
0 Karma

sbbadri
Motivator

@Hemnaath

[Script:ListeningPorts]
TZ=US/Eastern (which ever timezone you want)

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...