https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752044#M119425 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;,</P><P>I copied props.conf to indexers and it works properly :-).</P><P>Thank you and have a nice day!</P> Fri, 22 Aug 2025 10:02:50 GMT LIS 2025-08-22T10:02:50Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751974#M119404 <P>I have two time stamps in each record&nbsp;<SPAN>2025-08-20 17:37:00.317 and&nbsp;SEN_20250820153640.1703351.txt.</SPAN></P><P><SPAN>And want to use first one, but timestamp extractor chooses second from file name, neglecting my config.&nbsp;&nbsp;</SPAN></P><P>Example of record:</P><P><SPAN>2025-08-20 17:37:00.317 INF transferred file bytes=7642 file=/map/sen-tig/SEN_20250820153640.1703351.txt pid=4170 speed_mbps=2.1 time_ms=29.2</SPAN></P><P>&nbsp;</P><P><SPAN>inputs.conf</SPAN></P><P><SPAN>[monitor:///apps/sftp_sender/var/log/sftp*.log]<BR />disabled = false<BR />index = messaging<BR />sourcetype = messaging:ms:log</SPAN></P><P>&nbsp;</P><P><SPAN>props.conf</SPAN></P><P><SPAN>[messaging:ms:log]<BR />NO_BINARY_CHECK = true<BR />SHOULD_LINEMERGE = false<BR />TIME_PREFIX = ^<BR />MAX_TIMESTAMP_LOOKAHEAD = 23<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N<BR />TZ = Europe/Brussels<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>I also tried to use&nbsp;DATETIME_CONFIG = NONE (and CURRENT) , but it doesnt work.</SPAN></P><P><SPAN>I still see in Splunk _time = "second timestamp from record".</SPAN></P><P><SPAN>props.conf</SPAN></P><P><SPAN>[messaging:ms:log]<BR />TZ = Europe/Brussels<BR />DATETIME_CONFIG = NONE</SPAN></P><P>&nbsp;</P> Thu, 21 Aug 2025 11:36:13 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751974#M119404 LIS 2025-08-21T11:36:13Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751984#M119406 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240613">@LIS</a>&nbsp;,</P><P>where did you locate the props.conf file?</P><P>you must put it on the UF and on the first full Splunk instance.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 21 Aug 2025 15:56:55 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751984#M119406 gcusello 2025-08-21T15:56:55Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751988#M119407 <P><A href="https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774</A></P><P>Timestamp recognition happens usually on the first "heavy" component the event goes through. So your time-related settings should be put there (usually on indexer(s) or a Heavy Forwarder if you have one between your UF and indexer(s)). There is one caveat though - if you use indexed extractions - they happen on the initial ingesting component even if it's a UF. But that's a rare use case.</P> Thu, 21 Aug 2025 17:20:18 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751988#M119407 PickleRick 2025-08-21T17:20:18Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751995#M119410 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp; and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>Thank you for your responses, but it is not clear for me, because in our system we have lots of configs/dataflows were we have props.conf with time related parameters (TIMESTAMP_FIELDS, TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, TIME_FORMAT, TZ .... ) only on UF.&nbsp; Our forwarders connected to indexers directly, we dont have any props.conf on indexers and it work properly).</P><P>maybe it only works with&nbsp;INDEXED_EXTRACTIONS ?</P><P>INDEXED_EXTRACTIONS = csv<BR />FIELD_DELIMITER = ,<BR />NO_BINARY_CHECK = true<BR />SHOULD_LINEMERGE = false<BR />category = Structured<BR />disabled = false<BR />TIMESTAMP_FIELDS = date<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S<BR />TZ = UTC</P> Thu, 21 Aug 2025 18:26:43 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/751995#M119410 LIS 2025-08-21T18:26:43Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752002#M119412 <P>If you don't have the proper config on the parsing component Splunk guesses. Sometimes does it relatively well but it's not good performancewise.</P><P>Also TIMESTAMP_FIELDS makes sense only with indexed extractions.</P> Thu, 21 Aug 2025 20:54:02 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752002#M119412 PickleRick 2025-08-21T20:54:02Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752005#M119414 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240613">@LIS</a>&nbsp;,</P><P>some pasring activities are done on the Forwarders and some others are done on the first full Splunk instance that data are passing through, in your case Indexers.</P><P>Put the props.conf on the UFs and on Indexersa, and, if you have, on Search Heads.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 21 Aug 2025 21:34:09 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752005#M119414 gcusello 2025-08-21T21:34:09Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752032#M119423 <P>Thank you for more details).<BR /><BR />Unfortunately, it is not really clear in Splunk docs where we can use certain parameter (only UF, HF, Indexer or on any of them). how to get it?</P><P>So, I have to copy my props.conf on indexers as well, or move it from UF to indexers?</P><P>Thank you in advance:-)</P> Fri, 22 Aug 2025 07:50:28 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752032#M119423 LIS 2025-08-22T07:50:28Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752033#M119424 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240613">@LIS</a>&nbsp;,</P><P>I usually put it both on UFs and Indexers, and Search Heads.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 22 Aug 2025 08:04:07 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752033#M119424 gcusello 2025-08-22T08:04:07Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752044#M119425 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;,</P><P>I copied props.conf to indexers and it works properly :-).</P><P>Thank you and have a nice day!</P> Fri, 22 Aug 2025 10:02:50 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752044#M119425 LIS 2025-08-22T10:02:50Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752045#M119426 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240613">@LIS</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 22 Aug 2025 10:07:13 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extractor-issue-on-UF/m-p/752045#M119426 gcusello 2025-08-22T10:07:13Z