topic WMI and timestamp problems in Getting Data In https://community.splunk.com/t5/Getting-Data-In/WMI-and-timestamp-problems/m-p/577460#M102002 <P>I'm pulling events from remote computers using WMI as described in the splunk docs. Everything seems to be going quite well except... sometimes I encounter something like that in my logs:</P><PRE><SPAN class="">Failed</SPAN> <SPAN class="">to</SPAN> <SPAN class="">parse</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">in</SPAN> <SPAN class="">first</SPAN> <SPAN class="">MAX_TIMESTAMP_LOOKAHEAD</SPAN> (<SPAN class="">128</SPAN>) <SPAN class="">characters</SPAN> <SPAN class="">of</SPAN> <SPAN class="">event.</SPAN> <SPAN class="">Defaulting</SPAN> <SPAN class="">to</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">of</SPAN> <SPAN class="">previous</SPAN> <SPAN class="">event</SPAN> (<SPAN class="">Mon</SPAN> <SPAN class="">Dec</SPAN> <SPAN class="">6</SPAN> <SPAN class="">12:22:22</SPAN> <SPAN class="">2021</SPAN>)<SPAN class="">.</SPAN> <SPAN class="">Context:</SPAN> <SPAN class="">source=<SPAN class="">WMI</SPAN>:WinEventLog:Application</SPAN>|<SPAN class="">host=&lt;redacted&gt;</SPAN>|<SPAN class=""><SPAN class="">WMI</SPAN>:WinEventLog:Application</SPAN>|1</PRE><P>Which is quite surprising since I thought that WMI-pulled events should have proper timestamp created from the event timestamp on the source machine. Anyone encountered such issue?</P> Mon, 06 Dec 2021 11:51:13 GMT PickleRick 2021-12-06T11:51:13Z WMI and timestamp problems https://community.splunk.com/t5/Getting-Data-In/WMI-and-timestamp-problems/m-p/577460#M102002 <P>I'm pulling events from remote computers using WMI as described in the splunk docs. Everything seems to be going quite well except... sometimes I encounter something like that in my logs:</P><PRE><SPAN class="">Failed</SPAN> <SPAN class="">to</SPAN> <SPAN class="">parse</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">in</SPAN> <SPAN class="">first</SPAN> <SPAN class="">MAX_TIMESTAMP_LOOKAHEAD</SPAN> (<SPAN class="">128</SPAN>) <SPAN class="">characters</SPAN> <SPAN class="">of</SPAN> <SPAN class="">event.</SPAN> <SPAN class="">Defaulting</SPAN> <SPAN class="">to</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">of</SPAN> <SPAN class="">previous</SPAN> <SPAN class="">event</SPAN> (<SPAN class="">Mon</SPAN> <SPAN class="">Dec</SPAN> <SPAN class="">6</SPAN> <SPAN class="">12:22:22</SPAN> <SPAN class="">2021</SPAN>)<SPAN class="">.</SPAN> <SPAN class="">Context:</SPAN> <SPAN class="">source=<SPAN class="">WMI</SPAN>:WinEventLog:Application</SPAN>|<SPAN class="">host=&lt;redacted&gt;</SPAN>|<SPAN class=""><SPAN class="">WMI</SPAN>:WinEventLog:Application</SPAN>|1</PRE><P>Which is quite surprising since I thought that WMI-pulled events should have proper timestamp created from the event timestamp on the source machine. Anyone encountered such issue?</P> Mon, 06 Dec 2021 11:51:13 GMT https://community.splunk.com/t5/Getting-Data-In/WMI-and-timestamp-problems/m-p/577460#M102002 PickleRick 2021-12-06T11:51:13Z