Hi Team, Currently we are having issue for certain sourcetype the indexed events are with the future time stamp. The problem is with Symantec logs source that are forwarded from third party device called tap server to the heavy forwarder and then it gets indexed to the indexer instances.
When we run the below query, we could see that data are being ingested in future time instead of actual Geographic time.
earliest=@d latest=@d+1d sourcetype=symantec:tap*
Props.conf details :
[symantec:tap:incidents]
SHOULD_LINEMERGE = false
FIELDALIAS-event_host = tap_host as event_host
FIELDALIAS-dest = domainId{} as dest
FIELDALIAS-file_hash = filehash{} as file_hash
TIME_PREFIX=time
MAX_TIMESTAMP_LOOKAHEAD=27
KV_MODE = json
TRUNCATE = 0
[symantec:tap:incidentevents]
SHOULD_LINEMERGE = false
FIELDALIAS-event_host = tap_host as event_host
FIELDALIAS-SHA256 = file.sha2 as SHA256
FIELDALIAS-MD5 = file.md5 as MD5
FIELDALIAS-file_size = file.size as file_size
EVAL-file_name = lower('file.name')
TIME_PREFIX=log_time
MAX_TIMESTAMP_LOOKAHEAD=27
KV_MODE = json
TRUNCATE = 0
Note : we had removed " DATETIME_CONFIG = CURRENT" from above props.conf details, so will that be a problem. Kindly guide me how to correct the future time stamp issue.
↧