Indexed time and event logged time is mismatching

gkumarashanmuga · ‎06-06-2018

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues. I guess need to use props.conf timestamp settings.

Sample event :

I viewed it in list mode

Time
6/6/18
11:28:09.000 AM

EVENT
20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@111] Test Backup succeeded

Likewise all the events are generated

If i viewed in Raw mode :

20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@11] Test Backup succeeded.

DEAD_BEEF · ‎06-06-2018

I don't see anything wrong with the time either. It may help if you included a screenshot or something. Both timestamps are 11:28:09. What's the issue?

Richfez · ‎06-06-2018

I'm not sure I see what's wrong. I see no year in your raw event, so from where would Splunk get a value to use other than "The current year?"

Unless - is the "20 6" supposed to be "2006" or "2016" or "2026" or something?

Do you have any control over the format of the raw events?

Indexed time and event logged time is mismatching

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk