_time is wrong

sarit_s · ‎01-31-2020

Hello

i'm creating a sample of some poc so i added data manually from the "add data" option.
when reviewing the time format from the "add data" option i see everything extracting perfectly but when searching in splunk the time in "_time" is the time that i added the data.

for example:

02/02/2020
11:19:20.000    
44.204.160.84 - - [02/Feb/2020:23:55:40 +0200] "POST /posts/posts/explore HTTP/1.0"

so you can see that the date is correct but the time is not the same as in the event

update
i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000
138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000
217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

how can i fix it ?

thanks

richgalloway · ‎01-31-2020

Add TIME_FORMAT = %d/%b/%Y:%H:%M:%S %Z and change the TIME_PREFIX value to \[.

---
If this reply helps you, Karma would be appreciated.

sarit_s · ‎01-31-2020

it is not working.. now even the date is wrong :

02/02/2020
20:53:37.000    
146.145.47.30 - - [06/Feb/2020:20:34:28 +0200] "PUT /list HTTP/1.0"

also i noticed something strange :
this is the msg i got after the search completed :

5,000 events (before 31/01/2020 20:57:34.000)
but the results i got is from 2\2\2020 which is future date...

skalliger · ‎01-31-2020

Please show us your props.conf stanza with the according settings and maybe give us more than one sample event.

Skalli

sarit_s · ‎01-31-2020

[access_combined]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = 
disabled = false
TZ = UTC


02/02/2020
13:05:47.000    
25.90.196.46 - - [02/Feb/2020:23:58:19 +0200] "GET /explore HTTP/1.0"

to4kawa · ‎01-31-2020

TZ = UTC ? log is +0200.
please set TIME_FORMAT

p_gurav · ‎01-31-2020

Did you set any default timezone for your user? Also, check the system timezone.

sarit_s · ‎01-31-2020

yes, user's timezone set to Asia\Jerusalem

p_gurav · ‎01-31-2020

ok. and what is the indexer's timezone? Also, In props.conf put TZ= Asia/Jerusalem.

sarit_s · ‎01-31-2020

the indexer TZ is also Asia/Jerusalem
also, i changed it in props but it is not helping

i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000

138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000

217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

_time is wrong

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...