Refine your search:

Why would the date_hour not match my event timestamps?

2

I have many hosts with the correct event time, these all forward to two receivers with the correct time. I wanted to search by "date_hour" to show after hour events. I notice that the "date_hour" is reporting 5 hours in the future on all hosts and events. Where is this time stamp coming from? Can it be synchronized?

I am reporting on /var/log/audit/audit.log using souretype=linux_audit.

asked 27 Apr '10, 17:02

djfisher's gravatar image

djfisher
5519
accept rate: 33%

2 Answers:
oldestnewestmost voted
2

date_hour is the hour in the text of the event, unadjusted for time zone. We keep this specifically because when searching by hour of day, it's more common to care about the local time of the event than the absolute time. You can offset it by using the date_zone field. If date_zone is local or null, the offset is the same as the Splunk server offset. But in your case, the offset is probably different, in which case you can offset by doing (date_hour-(date_zone/60))%24 to convert to the UTC hour, or (date_hour-((date_zone-local_tz_offset_minutes)/60))%24 to convert to the local TZ.

link

answered 27 Apr '10, 18:06

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

0

I have a similar problem. The even logs have a certain GMT +11 correction and I need to match the two timestamps and I need no correction.

Which file do I need to modify so that the two timestamps corresponding to one event (from a search) match(and without any GMT corrections) ??

Bit of urgency, would appreciate a quick help !

link

answered 19 Mar '12, 01:50

asgupte's gravatar image

asgupte
11
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×343
×40

Asked: 27 Apr '10, 17:02

Seen: 1,406 times

Last updated: 19 Mar '12, 01:50

Related questions

date_hour not present in WinEventLogs

why would a search against summary index data spend most of the time in kv and rawdata

How does Splunk determine the date, when there is no date stamp in the event?

Is an index-time extraction right for my situation?

Matching events by pair

What would cause the "date_*" fields to be missing from an event?

find the last time an event occurred by field

adjusting date_hour in report to reflect local timezone

Why is index-time field extraction not searchable?

Copyright © 2005-2012 Splunk Inc. All rights reserved.