Solved: Time in Splunk - Splunk Community

Installation

Hello,

I have a few questions about the time in Splunk. That is a entry from an older logfile and here the _time field and the timestamp in the log does not match!

4/30/23
1:32:16.000 PM

Mai 08 13:32:16 xxxxxx sshd[3312558]: Failed password for yyyyyyyy from 192.168.1.141 port 58744 ssh2

How could that happen?

How does time come up with the time fields? And how does it handle files which comtain no time-stamps? Is then the index-time used?

Ther is a few things which I do not fully understand - maybe there is some article in the documentation which explain that in detail but I have not found with a quick search.

Could pleas someone clearify how splunk handle that or link to an article? Thanks!

1 Solution

Solution

here you can find some useful description of how Splunk manages timezones:

https://docs.splunk.com/Documentation/SCS/current/Search/Timezones

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Applytimezoneoffsetstotimestamps

In few words, yes, if Splunk isn't able to understand the timestamp, is uses the previous event timestamp or _indextime as _time.

Splunk automatically manages different timezones so, setting the timezone in your user preferences, you can read the timestamps using the timestamp corresponding to your timezone.

Ciao.

Giuseppe

View solution in original post

the timestamp format is defined for each sourcetype in the props.conf (for more infos see at https://docs.splunk.com/Documentation/ITSI/4.17.0/Configure/props.conf) to deploy to the Forwarders that ingested tha log and on the Search Head.

The timestamp format definitions are described at https://docs.splunk.com/Documentation/SCS/current/Search/Timevariables

In your case, you have to set:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S

Ciao.

Giuseppe

Hi Giuseppe,

so that was a parsing error - make sence because a hand full of older entries hat another formating. The majority of the entries from that older logfile where indexed correctly!

Just that I understand it - Splunk parses the event and extract a time from the event. That parsed time is stored in _time. The indextime is stored in _indextime.

In case there is not time entry in the file the indextime ist also used for _time.

Correct so far?

But what if I get events from machines in different timezones? Is _time converted fo my local timezone?

What does it mean when I search for events from today 6:00am till 10:00am? Does that mean 6:00am - 10:00am in my timezone? Or in the timezones of the machines?

Solution

here you can find some useful description of how Splunk manages timezones:

https://docs.splunk.com/Documentation/SCS/current/Search/Timezones

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Applytimezoneoffsetstotimestamps

In few words, yes, if Splunk isn't able to understand the timestamp, is uses the previous event timestamp or _indextime as _time.

Splunk automatically manages different timezones so, setting the timezone in your user preferences, you can read the timestamps using the timestamp corresponding to your timezone.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...