Re: Solarwinds Alerts Timestamp issue

brandonf · ‎08-03-2018

Howdy

We have installed and configured the add-on and data is being retrieved. However we notice that the timestamp on the alert events is wrong - it seems to be exactly 2 hours behind. We check the SQL eventtime and it is correct there but the script seems to to be incorrectly interpreting the timestamp?

The format in the database is YYYY-mm-dd HH:MM:SS.3N but Splunk shows YYYY-mm-ddTHH:MM:SS.XXXXXX

Thanks
B

ankurpwc · ‎04-18-2020

HI brandonf,

Have you found solution for this ? we too are facing exactly same issue.

neltavares · ‎12-18-2018

We are noticing the exact same behavior as described above, but in our case we are exactly 5 hours behind, which coincides with the difference between our time zone (Eastern Standard) and UTC time.

Solarwinds is forwarding events to splunk correctly, but the events are from exactly 5 hours ago.
So an alert sent from solarwinds to splunk with the following eventTime: EventTime: 2018-12-18T15:39:16.2600000 actually appeared in solarwinds at 10:39 (and not 15:39).

Has anyone found a way to correct this?

Thanks!

macadminrohit · ‎12-18-2018

We had similar problem but not in solarwinds app. for this sourcetype you can specifically define TIME_PREFIX and TIME_FORMAT in props.conf since you dont have TZ in the event itself . You can set TZ in props.conf and explicitly let Splunk know which TZ event is in .

See the below link, this should help you.

https://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Applytimezoneoffsetstotimestamps

Solarwinds Alerts Timestamp issue

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...