Community:Search Report: How To Analyze parsed Timestamp Vs original Timestamp in an event

From Splunk Wiki

Jump to: navigation, search

How To Analyze Parsed Timestamp Vs Original Timestamp in an Event

This is a useful search when you want to analyze if a timestamp parsed at index time was correct by comparing it with original time stamp in an event.

At first, we should keep in mind that Splunk use epoch time to store time stamp. So, depending on system clock, a search checks a time range or a time stamp will be displayed based on the system clock time 


#
# How to verify if a timestamp was parsed correctly from original event 
#

#
# Test conditon
#
  1. Events has UTC timeszone timestamp
     -Example
        Wed, 17 Apr 2013 23:42:29 UTC DEBUG: Read C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_vcenter\local\inputs.conf
        Wed, 17 Apr 2013 22:42:29 UTC DEBUG: mod: Fri Dec 14 14:46:12 PST 2012
        Wed, 17 Apr 2013 21:42:29 UTC DEBUG: Read C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_vcenter\local\inputs.conf
        Wed, 17 Apr 2013 20:42:29 UTC DEBUG: mod: Fri Dec 14 14:46:12 PST 2012

  2. Splunk is running on a server in PDT (-7hours)




#
# Verifying  timestamp  comparing orignal and indexed timestamp
# 

#Search 
index=main UTC  source="C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_vcenter\\bin\\SetHost.bat" 
   | eval TT=_time 
   | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %z") 
   | rex "^\w+, (?<origTimestamp>.+?)\s+DEBUG" 
   | eval origTimestamp_A=round(strptime(origTimestamp, "%d %h %Y %H:%M:%S %Z"), 0) 
   | eval Diff=round(_time, 0)-origTimestamp_A 
   | table _time Time origTimestamp Diff origTimestamp_A TT


# ./bin/splunk search 'index=main UTC  source="C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_vcenter\\bin\\SetHost.bat" 
>    | eval TT=_time 
>    | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %z") 
>    | rex "^\w+, (?<origTimestamp>.+?)\s+DEBUG" 
>    | eval origTimestamp_A=round(strptime(origTimestamp, "%d %h %Y %H:%M:%S %Z"), 0) 
>    | eval Diff=round(_time, 0)-origTimestamp_A 
>    | table _time Time origTimestamp Diff origTimestamp_A TT
> ' -auth admin:changeme1
           _time                     Time                origTimestamp       Diff origTimestamp_A     TT
--------------------------- ----------------------- ------------------------ ---- --------------- ----------
2013-04-17 16:42:29.000 PDT 04/17/13 16:42:29 -0700 17 Apr 2013 23:42:29 UTC    0      1366242149 1366242149
2013-04-17 15:42:29.000 PDT 04/17/13 15:42:29 -0700 17 Apr 2013 22:42:29 UTC    0      1366238549 1366238549
2013-04-17 14:42:29.000 PDT 04/17/13 14:42:29 -0700 17 Apr 2013 21:42:29 UTC    0      1366234949 1366234949
2013-04-17 13:42:29.000 PDT 04/17/13 13:42:29 -0700 17 Apr 2013 20:42:29 UTC    0      1366231349 1366231349

Example timestamp analysis orig.jpg 



#
# Check time different by not-calculation timezone in original timestamp and compare it with indexed timestamp
#

# Search 
index=main UTC  source="C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_vcenter\\bin\\SetHost.bat" 
   | eval TT=_time 
   | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %z") 
   | rex "^\w+, (?<origTimestamp>.+?)\s+DEBUG" 
   | eval origTimestamp_A=round(strptime(origTimestamp, "%d %h %Y %H:%M:%S"), 0) 
   | eval Diff=round((round(_time, 0)-origTimestamp_A)/60/60, 0)  
   | table _time Time origTimestamp Diff origTimestamp_A TT


# Run the search in CLI 
=> Can verify UTC -7 hours right now as PDT

# ./bin/splunk search 'index=main UTC  source="C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_vcenter\\bin\\SetHost.bat" 
   | eval TT=_time 
   | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %z") 
   | rex "^\w+, (?<origTimestamp>.+?)\s+DEBUG" 
   | eval origTimestamp_A=round(strptime(origTimestamp, "%d %h %Y %H:%M:%S"), 0) 
   | eval Diff=round((round(_time, 0)-origTimestamp_A)/60/60, 0)  
   | table _time Time origTimestamp Diff origTimestamp_A TT' -auth admin:changeme1 
           _time                     Time                origTimestamp       Diff origTimestamp_A     TT
--------------------------- ----------------------- ------------------------ ---- --------------- ----------
2013-04-17 16:42:29.000 PDT 04/17/13 16:42:29 -0700 17 Apr 2013 23:42:29 UTC -7        1366267349 1366242149
2013-04-17 15:42:29.000 PDT 04/17/13 15:42:29 -0700 17 Apr 2013 22:42:29 UTC -7        1366263749 1366238549
2013-04-17 14:42:29.000 PDT 04/17/13 14:42:29 -0700 17 Apr 2013 21:42:29 UTC -7        1366260149 1366234949
2013-04-17 13:42:29.000 PDT 04/17/13 13:42:29 -0700 17 Apr 2013 20:42:29 UTC -7        1366256549 1366231349

Example timestamp analysis.jpg

Retrieved from "https://wiki.splunk.com/index.php?title=Community:Search_Report:_How_To_Analyze_parsed_Timestamp_Vs_original_Timestamp_in_an_event&oldid=54542"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk