Re: date related issue

sunnyparmar · ‎07-26-2016

Hi,

I am facing date related issue in my some of the splunk logs. Today is 26 July but it is showing timing something like given below -

7/28/16 22848 14:15:55 [Info] 00001332 #01 Batch opened '20160728_0500 - 02749648_11'
6:45:55.000 PM 22848 14:15:55 [Info] 00001333 #01 Batch class: "HammondCare - Live - Email"

I have checked inputs.conf and time zone of the server from where the logs coming and with this check the Splunk server time as well. All things are in correct format then why i am facing this issue? Any insight would be appreciated.

Thanks

dshpritz · ‎07-27-2016

Given the sample data, you will most likely have to adjust the timestamping for your data to something like:

[sc-kofax-ktm]
TIME_PREFIX = ^\d+\s+
MAX_TIMESTAMP_LOOKAHEAD = 8
TIME_FORMAT = %H:%M:%S

This should go in a props.conf on the first full Splunk Enterprise instance the data will hit, most likely your indexer(s).

somesoni2 · ‎07-26-2016

What is the sourcetype definition for this data (event parsing setting defined in props.conf for this sourcetype in your indexers/heavy forwarders)? It seems like your logs doesn't have date and/or you've not configured correct timestamp recognition, so Splunk taking date from the message field (Batch opened '20160728_0500 - 02749...).

sunnyparmar · ‎07-26-2016

sourcetype definition is sc-kofax-ktm. you are asking about entry in props.conf on main Splunk server or on forwarder side? and yes you are right in log files date are not configured. logs format are given below -

08168 00:01:40 [Info] 00000001 #01 Loading batch '20160726_1900 - 02745216_04'.
08168 00:01:40 [Info] 00000002 #01 Loading project associated to batch.
08168 00:01:41 [Info] 00000003 #01 Verifying that sufficient licenses are available.
08168 00:01:41 [Info] 00000004 #01 Batch opened '20160726_1900 - 02745216_04'
08168 00:01:41 [Info] 00000005 #01 Batch class: "ExxonMobilNAStripes - Live"
08168 00:06:56 [Info] 00000006 #01 Start processing of 10 document(s).
08168 00:08:03 [Info] 00000007 #01 Processing results of document 1
08168 00:08:03 [Info] 00000008 #01 Form type "FT_Invoice3341" associated with class "CA"
08168 00:08:03 [Info] 00000009 #01 Document classified as "CA"
08168 00:08:03 [Info] 00000010 #01 Document extracted successfully, 174 field(s) found.
08168 00:08:08 [Info] 00000011 #01 Processing results of document 2
08168 00:08:09 [Info] 00000012 #01 Form type "FT_Invoice3341" associated with class "CA"
08168 00:08:09 [Info] 00000013 #01 Document classified as "CA"
08168 00:08:09 [Info] 00000014 #01 Document extracted successfully, 171 field(s) found.
08168 00:09:00 [Info] 00000015 #01 Processing results of document 3
08168 00:09:01 [Info] 00000016 #01 Form type "FT_Invoice3341" associated with class "CA"
08168 00:09:01 [Info] 00000017 #01 Document classified as "CA"
08168 00:09:01 [Info] 00000018 #01 Document extracted successfully, 173 field(s) found.
08168 00:10:10 [Info] 00000019 #01 Processing results of document 5
08168 00:10:11 [Info] 00000020 #01 Form type "FT_Invoice3341" associated with class "CA"
08168 00:10:11 [Info] 00000021 #01 Document classified as "CA"
08168 00:10:11 [Info] 00000022 #01 Document extracted successfully, 175 field(s) found.

dshpritz · ‎07-26-2016

Can you provide a screenshot of the event from Splunk? I'm having trouble with the way Answers is formatting it. Also, what should the correct timestamp for this event be?

sunnyparmar · ‎07-27-2016

Hi,

how can I provide the screenshot of splunk data. I am not able to paste here any type of snapshot so could you please guide me for the same

Thanks

date related issue

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases