topic Re: Windows server data timestamp issue in splunk in Getting Data In

Windows server data timestamp issue in splunk

chandrasekhar46 — Tue, 04 Nov 2025 07:32:56 GMT

i have splunk data for windows servers for service but getting timestamp issue here is example error log and event example so how can i use props file

shall i install windows TA addon in HF should resolve it or any custom props file bases on event

11-04-2025 06:10:31.452 +0000 WARN DateParserVerbose [1028 winparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Nov 4 06:10:31 2025). Context: source=WMI:Service|host=XSPW12W923F|WMI:Service|1

event coming like this in splunk :

20251104022942.950679

DisplayName=test_one

Name=WdiSystemHost

StartMode=Manual

State=Stopped

Re: Windows server data timestamp issue in splunk

gcusello — Tue, 04 Nov 2025 07:48:34 GMT

Hi @chandrasekhar46 ,

usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs?

Anyway, you should install Splunk_TA_Windows both on UF, HF and SH.

Ciao.

Giuseppe

Re: Windows server data timestamp issue in splunk

PrewinThomas — Tue, 04 Nov 2025 09:17:05 GMT

@chandrasekhar46
Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this.

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!