Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

time difference in log entries and interpreted by splunk

myli12
Path Finder
‎04-07-2011 07:07 PM

One example log entry is as follows:

1/20/11 4:13:55.000 AM

2002-01-01T00:02:44 127.0.0.1 Tue Jan 1 00:02:43 2002 : Error: rlm_eap: SSL error ...

"1/20/11 4:13:55.000 AM" is what splunk intreprets when plotting the event against timeline and displaying the event for review, and 2002-01-01 is what actually recorded in the log (the time is because of time reset due to power outage)

My question is how splunk gets the time and how to reconcile the difference?

Tags (1)
Reply

netwrkr
Communicator
‎04-07-2011 07:59 PM

I think because the time from the log file was too far in the past Splunk discards it and instead uses "index" time - that is the time the event was indexed. I seem to recall reading this in the docs from previous version but can no longer find such a reference. Here is a good article though that may help you understand things a bit better - http://www.splunk.com/base/Documentation/4.2/Data/HowSplunkextractstimestamps

[edit] - found the info here about timestamps in the past / future

http://www.splunk.com/base/Documentation/4.2/Data/Configuretimestamprecognition

MAX_DAYS_AGO =

Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid. For example, if MAX_DAYS_AGO = 10 then Splunk ignores dates older than 10 days from the current date. Default is 2000. Note: If you have data that is more than 2000 days old, increase this setting. MAX_DAYS_HENCE =

Specifies the maximum number of days in the future from the current date that an extracted date can be valid. For example, if MAX_DAYS_HENCE = 3, dates that are more than 3 days in the future are ignored. False positives are less likely with a tighter window. If your servers have the wrong date set or are in a timezone that is one day ahead, set this value to at least 3. Defaults to 2. This allows timestamp extractions that are up to a day in the future.

0 Karma
Reply
Get Updates on the Splunk Community!

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...