https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53679#M10361 <P>Hello All,</P> <P>Simply put, I can successfully detect the timestamp of an event while in preview mode<BR /> <A href="http://imgur.com/45IF3bQ,Fq7UfjS#0">During Preview</A> (note the event time distribution in the right corner)</P> <P>But when I begin searching the data, the timestamp is replaced by the current date and each event has a timestamp=none <A href="http://imgur.com/45IF3bQ,Fq7UfjS#1">In Search</A></P> <P>Can someone hint at what I might be doing wrong?</P> Wed, 06 Mar 2013 22:31:35 GMT gunderjt 2013-03-06T22:31:35Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53679#M10361 <P>Hello All,</P> <P>Simply put, I can successfully detect the timestamp of an event while in preview mode<BR /> <A href="http://imgur.com/45IF3bQ,Fq7UfjS#0">During Preview</A> (note the event time distribution in the right corner)</P> <P>But when I begin searching the data, the timestamp is replaced by the current date and each event has a timestamp=none <A href="http://imgur.com/45IF3bQ,Fq7UfjS#1">In Search</A></P> <P>Can someone hint at what I might be doing wrong?</P> Wed, 06 Mar 2013 22:31:35 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53679#M10361 gunderjt 2013-03-06T22:31:35Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53680#M10362 <P>Hi gunderjt,</P> <P>I can see that your source type has TIME_FORMAT set, but does it also have a TIME_PREFIX value set. This is usually found in your props.conf, usually in /opt/splunk/etc/system/local/. You could also set the BREAK_ONLY_BEFORE_DATE = true option and see if this corrects the issue.</P> <P>Please feel free to post the entry for the props.conf file, and I would be happy to take a look at it.</P> <P>Lastly, when you are setting up the sourcetype through manual import, there is the Timestamps tab which can also perform these changes for you.</P> <P>Please let me know if you have any questions.</P> <P>Regards,</P> <P>Vince</P> Mon, 28 Sep 2020 13:27:38 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53680#M10362 vincesesto 2020-09-28T13:27:38Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53681#M10363 <P>Thank you for you help Vince,</P> <P>I don't have a TIME_PREFIX as the timestamp is the first half a dozen characters in an event. I also put the "BREAK_ONLY_BEFORE_DATE = true" command into the props.conf file. But to no avail. </P> <P>Here is the props.conf sourcetype: </P> <P>[DoIt1]<BR /> BREAK_ONLY_BEFORE_DATE = true<BR /> CHECK_FOR_HEADER = true<BR /> KV_MODE = none<BR /> MAX_DAYS_AGO = 10900<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = False<BR /> TIME_FORMAT = %m/%d/%Y<BR /> pulldown_type = 1</P> <P>Like I said, during the preview when I'm setting up my timestamp configuration, it works just fine, but breaks in the search app.</P> Mon, 28 Sep 2020 13:28:02 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53681#M10363 gunderjt 2020-09-28T13:28:02Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53682#M10364 <P>Hi Gunderjt,</P> <P>Yeah, I typed out sample data from the images you posted and had the same issue. I think that splunk may have been getting confused with the multiple date values in the event and as a result, could not decide how to set the date correctly.</P> <P>Either way, I have been able to get it to work by adding the TIME_PREFIX option set to the start of the line(^), and have got the following props config top work:<BR /> [DoIt1]<BR /> MAX_DAYS_AGO = 10900<BR /> NO_BINARY_CHECK = 1<BR /> TIME_PREFIX = ^<BR /> pulldown_type = 1</P> <P>I hope this works for you and if not...let me know and I will try to find a different way around this.</P> <P>Regards, Vince</P> Mon, 28 Sep 2020 13:28:21 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53682#M10364 vincesesto 2020-09-28T13:28:21Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53683#M10365 <P>That did it! Thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 08 Mar 2013 02:44:47 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53683#M10365 gunderjt 2013-03-08T02:44:47Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53684#M10366 <P>Hi,</P> <P>I have a very similar issue too. I have posted it in <BR /> <A href="http://answers.splunk.com/answers/233542/timestamp-preview-different-than-timestamp-in-sear.html" target="_blank">http://answers.splunk.com/answers/233542/timestamp-preview-different-than-timestamp-in-sear.html</A></P> <P>The solution you gave did not work for me. I tried the time_prefix values <BR /> TIME_PREFIX=^\"timestamp\":\s\"<BR /> TIME_PREFIX="timestamp": <BR /> Nothing so far, any clues?</P> Mon, 28 Sep 2020 19:47:42 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-preview-different-than-timestamp-in-search/m-p/53684#M10366 hvaithia 2020-09-28T19:47:42Z