Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

_time is wrong

sarit_s
Communicator
‎01-31-2020 02:39 AM

Hello

i'm creating a sample of some poc so i added data manually from the "add data" option.
when reviewing the time format from the "add data" option i see everything extracting perfectly but when searching in splunk the time in "_time" is the time that i added the data.

for example:

02/02/2020
11:19:20.000    
44.204.160.84 - - [02/Feb/2020:23:55:40 +0200] "POST /posts/posts/explore HTTP/1.0"

so you can see that the date is correct but the time is not the same as in the event

update
i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000
138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000
217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

how can i fix it ?

thanks

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2020 05:47 AM

Add TIME_FORMAT = %d/%b/%Y:%H:%M:%S %Z and change the TIME_PREFIX value to \[.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarit_s
Communicator
‎01-31-2020 11:00 AM

it is not working.. now even the date is wrong :

02/02/2020
20:53:37.000    
146.145.47.30 - - [06/Feb/2020:20:34:28 +0200] "PUT /list HTTP/1.0"

also i noticed something strange :
this is the msg i got after the search completed :

5,000 events (before 31/01/2020 20:57:34.000)
but the results i got is from 2\2\2020 which is future date...

0 Karma
Reply

skalliger
SplunkTrust
SplunkTrust
‎01-31-2020 02:45 AM

Please show us your props.conf stanza with the according settings and maybe give us more than one sample event.

Skalli

0 Karma
Reply

sarit_s
Communicator
‎01-31-2020 03:09 AM 
[access_combined]
DATETIME_CONFIG = 
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = 
disabled = false
TZ = UTC


02/02/2020
13:05:47.000    
25.90.196.46 - - [02/Feb/2020:23:58:19 +0200] "GET /explore HTTP/1.0"
0 Karma
Reply

to4kawa
Ultra Champion
‎01-31-2020 04:28 AM

TZ = UTC ? log is +0200.
please set TIME_FORMAT

0 Karma
Reply

p_gurav
Champion
‎01-31-2020 02:43 AM

Did you set any default timezone for your user? Also, check the system timezone.

0 Karma
Reply

sarit_s
Communicator
‎01-31-2020 03:08 AM

yes, user's timezone set to Asia\Jerusalem

0 Karma
Reply

p_gurav
Champion
‎01-31-2020 03:27 AM

ok. and what is the indexer's timezone? Also, In props.conf put TZ= Asia/Jerusalem.

0 Karma
Reply

sarit_s
Communicator
‎01-31-2020 03:46 AM

the indexer TZ is also Asia/Jerusalem
also, i changed it in props but it is not helping

i noticed that it is failing only from some point in the log
so for example i have this event :
02/02/2020
13:41:28.000

138.47.33.59 - - [02/Feb/2020:13:41:28 +0200] "PUT /explore HTTP/1.0"

date and time are correct
right after that i have this event :
02/02/2020
13:41:28.000

217.135.8.245 - - [02/Feb/2020:13:45:27 +0200] "GET /explore HTTP/1.0"
date is correct, time not. it saves the time of the previous event. and this is the time for the rest of the events

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...