Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexed time and event logged time is mismatching

gkumarashanmuga
Explorer
‎06-06-2018 02:45 AM

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues. I guess need to use props.conf timestamp settings.

Sample event :

I viewed it in list mode

Time
6/6/18
11:28:09.000 AM

EVENT
20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@111] Test Backup succeeded

Likewise all the events are generated

If i viewed in Raw mode :

20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@11] Test Backup succeeded.

0 Karma
Reply

DEAD_BEEF
Builder
‎06-06-2018 10:12 AM

I don't see anything wrong with the time either. It may help if you included a screenshot or something. Both timestamps are 11:28:09. What's the issue?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-06-2018 06:06 AM

I'm not sure I see what's wrong. I see no year in your raw event, so from where would Splunk get a value to use other than "The current year?"

Unless - is the "20 6" supposed to be "2006" or "2016" or "2026" or something?

Do you have any control over the format of the raw events?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...