https://community.splunk.com/t5/Splunk-Enterprise/Missing-date-fields/m-p/577192#M10882 <P>Hi,<BR /><BR />I have this log format on our environment :&nbsp;<BR /><BR />2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1", AUTHENTICATION_TYPE="(TYPE=(*));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=*)(HOST=1.1.1.1)(PORT=222))));", CURRENT_USER="my_own_user", DBID="0001111222", DBUSERNAME="my_own_user", INSTANCE_ID="1", OS_PROCESS="12000111", OS_USERNAME="ec2-user", SCN="900000000", SESSIONID="100000000", SYSTEM_PRIVILEGE_USED="CREATE SESSION", TERMINAL="unknown", UNIFIED_AUDIT_POLICIES="unknown", USERHOST="ec2-user", TS="2021-12-03 03:26:38"<BR /><BR />But it is missing the&nbsp;<STRONG>date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone&nbsp; </STRONG>fields&nbsp;<BR /><BR />this is the <STRONG>PROPS.CONF</STRONG>:<BR />[audit_sample]<BR />ANNOTATE_PUNCT = false<BR />LINE_BREAKER = ([\r\n]+)<BR />SHOULD_LINEMERGE = false<BR />MAX_TIMESTAMP_LOOKAHEAD = 32<BR />TIME_PREFIX = ^<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N<BR />TRUNCATE = 2000<BR /><BR /><BR />i have read the&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields</A><BR />and it says that the <STRONG>date_*</STRONG> fields are only available if the timestamp is properly extracted.&nbsp;<BR />Which in my case is fine&nbsp; because it have the <STRONG>_time</STRONG>&nbsp;field and when i compare the <STRONG>_time</STRONG> to the actual logs they are similar, and my props configuration is properly working.<BR /><BR />What might be the reason on why I'm missing those fields.</P><P>It is not window_event_logs</P><P>&nbsp;</P> Mon, 06 Dec 2021 03:30:18 GMT jadengoho 2021-12-06T03:30:18Z https://community.splunk.com/t5/Splunk-Enterprise/Missing-date-fields/m-p/577192#M10882 <P>Hi,<BR /><BR />I have this log format on our environment :&nbsp;<BR /><BR />2021-12-03 03:28:04.296, EVENT_TIMESTAMP="2021-12-03 03:26:38.039962 Asia/Shanghai", ACTION_NAME="LOGON", AUDIT_TYPE="Standard", RETURN_CODE="1", AUTHENTICATION_TYPE="(TYPE=(*));(CLIENT ADDRESS=((ADDRESS=(PROTOCOL=*)(HOST=1.1.1.1)(PORT=222))));", CURRENT_USER="my_own_user", DBID="0001111222", DBUSERNAME="my_own_user", INSTANCE_ID="1", OS_PROCESS="12000111", OS_USERNAME="ec2-user", SCN="900000000", SESSIONID="100000000", SYSTEM_PRIVILEGE_USED="CREATE SESSION", TERMINAL="unknown", UNIFIED_AUDIT_POLICIES="unknown", USERHOST="ec2-user", TS="2021-12-03 03:26:38"<BR /><BR />But it is missing the&nbsp;<STRONG>date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone&nbsp; </STRONG>fields&nbsp;<BR /><BR />this is the <STRONG>PROPS.CONF</STRONG>:<BR />[audit_sample]<BR />ANNOTATE_PUNCT = false<BR />LINE_BREAKER = ([\r\n]+)<BR />SHOULD_LINEMERGE = false<BR />MAX_TIMESTAMP_LOOKAHEAD = 32<BR />TIME_PREFIX = ^<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N<BR />TRUNCATE = 2000<BR /><BR /><BR />i have read the&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.2.3/Knowledge/Usedefaultfields</A><BR />and it says that the <STRONG>date_*</STRONG> fields are only available if the timestamp is properly extracted.&nbsp;<BR />Which in my case is fine&nbsp; because it have the <STRONG>_time</STRONG>&nbsp;field and when i compare the <STRONG>_time</STRONG> to the actual logs they are similar, and my props configuration is properly working.<BR /><BR />What might be the reason on why I'm missing those fields.</P><P>It is not window_event_logs</P><P>&nbsp;</P> Mon, 06 Dec 2021 03:30:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/Missing-date-fields/m-p/577192#M10882 jadengoho 2021-12-06T03:30:18Z