product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How leap seconds affect Splunk Enterprise behavior
- release date
- 2015-06-22
- last updated
- 2023-06-30
- version
- Splunk Enterprise 9.0.5
- Overview
- When importing an event whose timestamp is a leap second, the timestamp may not be recognized properly and the event may end up on multiple lines, or the timestamp may be recognized as a value different from the actual value.
- Reference information
- content
-
The leap second will not have any impact on Splunk services, such as causing service outages.
However, Splunk does not recognize leap seconds in timestamps. If a timestamp is a leap second, there are two possible effects:
Timestamps may not be recognized and events may end up on multiple lines.
Timestamps are recognized with different values than the actual timestamps.
About events that span multiple lines
By default, Splunk uses the timestamp as the event separator.
If multiple lines are set as one event, there is no effect because the delimiter is explicitly specified.If data is output with one event per line, unless "SHOULD_LINEMERGE=false" is explicitly defined in props.conf for the source type of the target data import settings, the timestamp may not be recognized and the event may end up on multiple lines.
*The setting "SHOULD_LINEMERGE=false" is for importing one event per line. The default value is "true", and the setting BREAK_ONLY_BEFORE_DATE is also set to "true", so events are separated before the timestamp. If the timestamp cannot be recognized, a line is determined by the regular expression defined in the setting LINE_BREAKER. The default value of LINE_BREAKER is ([\r\n]+).
When perceived timestamps differ from reality
If a timestamp with "60" displayed, such as 8:59:60 seconds (leap second), is output to the logs or data that Splunk is ingesting, the following actions will be taken. After that, steps 1 to 4 will be applied and processed in that order.
- If Splunk does not recognize the timestamp (date + time) of an event, it will recognize it as the most recent event from the same source with the same timestamp.
For example, if there is an event 59 seconds before 8:59:60 on July 1, 2015, the timestamp of 60 seconds cannot be recognized and it will be recognized as the event immediately preceding it, 8:59:59 on July 1, 2015. - If the log files to be ingested by Splunk Enterprise contain only the time of the event (no date information), the date information is applied from the file name or source name of the log file.
- If the above 2. does not apply, Splunk will use the file modification date when ingesting events.
- If none of the above options are available, Splunk will use the system time at the time the event was captured.
that's all
- If Splunk does not recognize the timestamp (date + time) of an event, it will recognize it as the most recent event from the same source with the same timestamp.
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
