https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710424#M117328 <P><SPAN>Hello everyone,</SPAN></P><P>&nbsp;</P><P><SPAN>I’m having trouble getting Splunk to recognize timestamps correctly, and I hope someone can help me out. I’m importing an </SPAN><SPAN>access log file</SPAN><SPAN>, where the timestamps are formatted like this:</SPAN></P><P>&nbsp;</P><P><SPAN>[</SPAN><SPAN>01</SPAN><SPAN>/Jan/</SPAN><SPAN>2017</SPAN><SPAN>:</SPAN><SPAN>02</SPAN><SPAN>:</SPAN><SPAN>16</SPAN><SPAN>:</SPAN><SPAN>51</SPAN><SPAN> -0800]</SPAN></P><P>here also a live output:</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34337i1524C57B3A9A9F06/image-size/large?v=v2&amp;px=999" role="button" title="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" alt="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" /></span><BR /></SPAN></P><P><SPAN>However, Splunk is not recognizing these timestamps and instead assigns the </SPAN><SPAN>indexing time</SPAN><SPAN>.</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried adjusting the settings in the </SPAN><SPAN>sourcetype configuration</SPAN><SPAN> (see screenshot) and have set the following values:</SPAN></P><P><SPAN>• </SPAN><SPAN>Timestamp format:</SPAN> <SPAN>%d/%b/%Y:%H:%M:%S %z</SPAN></P><P><SPAN>• </SPAN><SPAN>Timestamp prefix:</SPAN> <SPAN>\[</SPAN></P><P><SPAN>• </SPAN><SPAN>Lookahead:</SPAN> <SPAN>32</SPAN></P><P>&nbsp;</P><P><SPAN>Unfortunately, the timestamps are still not recognized correctly.</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Do I need to modify </SPAN><SPAN>props.conf</SPAN><SPAN> or </SPAN><SPAN>inputs.conf</SPAN><SPAN> as well?</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Is my timestamp format correct, or should it be defined differently?</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Could there be another issue in my extraction settings?</SPAN></P><P>&nbsp;</P><P>The log file looks like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_1085.jpeg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34339iDD4661113378B284/image-size/large?v=v2&amp;px=999" role="button" title="IMG_1085.jpeg" alt="IMG_1085.jpeg" /></span></P><P><SPAN>Should I maybe change the log file with some scripting in order to change the format?</SPAN></P><P>&nbsp;</P><P><SPAN>I would really appreciate any guidance! Thank you in advance. <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></SPAN></P><P>&nbsp;</P><P><SPAN>Best regards</SPAN></P> Sun, 02 Feb 2025 12:00:04 GMT splunk_user_99 2025-02-02T12:00:04Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710424#M117328 <P><SPAN>Hello everyone,</SPAN></P><P>&nbsp;</P><P><SPAN>I’m having trouble getting Splunk to recognize timestamps correctly, and I hope someone can help me out. I’m importing an </SPAN><SPAN>access log file</SPAN><SPAN>, where the timestamps are formatted like this:</SPAN></P><P>&nbsp;</P><P><SPAN>[</SPAN><SPAN>01</SPAN><SPAN>/Jan/</SPAN><SPAN>2017</SPAN><SPAN>:</SPAN><SPAN>02</SPAN><SPAN>:</SPAN><SPAN>16</SPAN><SPAN>:</SPAN><SPAN>51</SPAN><SPAN> -0800]</SPAN></P><P>here also a live output:</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34337i1524C57B3A9A9F06/image-size/large?v=v2&amp;px=999" role="button" title="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" alt="81341BD6-AE01-4FF1-99EA-6C755D6680AD.png" /></span><BR /></SPAN></P><P><SPAN>However, Splunk is not recognizing these timestamps and instead assigns the </SPAN><SPAN>indexing time</SPAN><SPAN>.</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried adjusting the settings in the </SPAN><SPAN>sourcetype configuration</SPAN><SPAN> (see screenshot) and have set the following values:</SPAN></P><P><SPAN>• </SPAN><SPAN>Timestamp format:</SPAN> <SPAN>%d/%b/%Y:%H:%M:%S %z</SPAN></P><P><SPAN>• </SPAN><SPAN>Timestamp prefix:</SPAN> <SPAN>\[</SPAN></P><P><SPAN>• </SPAN><SPAN>Lookahead:</SPAN> <SPAN>32</SPAN></P><P>&nbsp;</P><P><SPAN>Unfortunately, the timestamps are still not recognized correctly.</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Do I need to modify </SPAN><SPAN>props.conf</SPAN><SPAN> or </SPAN><SPAN>inputs.conf</SPAN><SPAN> as well?</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Is my timestamp format correct, or should it be defined differently?</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> </SPAN><SPAN>Could there be another issue in my extraction settings?</SPAN></P><P>&nbsp;</P><P>The log file looks like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_1085.jpeg" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34339iDD4661113378B284/image-size/large?v=v2&amp;px=999" role="button" title="IMG_1085.jpeg" alt="IMG_1085.jpeg" /></span></P><P><SPAN>Should I maybe change the log file with some scripting in order to change the format?</SPAN></P><P>&nbsp;</P><P><SPAN>I would really appreciate any guidance! Thank you in advance. <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></SPAN></P><P>&nbsp;</P><P><SPAN>Best regards</SPAN></P> Sun, 02 Feb 2025 12:00:04 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710424#M117328 splunk_user_99 2025-02-02T12:00:04Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710425#M117329 <P>It looks like your time extraction settings are corrrect, however you need to add&nbsp;MAX_DAYS_AGO to be a higher value (eg 3000) for Splunk to accept that 2017 timestamp as the default is 2000 and therefore Splunk is not accepting the date.</P><P>Let me know if adding&nbsp;MAX_DAYS_AGO=3000 to your extraction config works!</P><P>Good luck</P><P>Will</P> Sun, 02 Feb 2025 12:11:35 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710425#M117329 livehybrid 2025-02-02T12:11:35Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710436#M117332 <P><SPAN>Hey Will,</SPAN></P><P><SPAN>I just wanted to say </SPAN><SPAN>a huge THANK YOU</SPAN><SPAN> for your help! <span class="lia-unicode-emoji" title=":raising_hands:">🙌</span></SPAN></P><P><SPAN>Your suggestion to increase </SPAN><SPAN>MAX_DAYS_AGO</SPAN><SPAN> to 3000 </SPAN><SPAN>completely solved my issue</SPAN><SPAN>, and Splunk now correctly recognizes my timestamps.</SPAN></P><P><SPAN>Honestly, I had been struggling with this for quite some time, and your solution </SPAN><SPAN>saved me a lot of time and frustration</SPAN><SPAN>. I really appreciate the effort you put into answering my question.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks again, and have a great day! <span class="lia-unicode-emoji" title=":rocket:">🚀</span></SPAN></P><P>&nbsp;</P><P><SPAN>Best,</SPAN></P><P><SPAN>Emil</SPAN></P> Sun, 02 Feb 2025 18:54:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Not-Recognizing-Timestamps-What-Settings-Should-I-Use/m-p/710436#M117332 splunk_user_99 2025-02-02T18:54:55Z