https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77584#M15875 <P>It's strange. Please clean event at all, then try to re-index the file.</P> Mon, 18 Jun 2012 12:13:42 GMT Takajian 2012-06-18T12:13:42Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77579#M15870 <P>I'm unable to get correct timestamps for my snmptrap log-file.</P> <P>This is an example of an snmptrap :</P> <PRE><CODE>2012-06-18 11:55:12 servername [UDP: [10.10.10.10]:32768-&gt;[0.0.0.0]:0]: </CODE></PRE> <P>Splunk does not take 2012-06-18 11:55:12 as timestamp, instead it takes the last-modified date of the log-file which remains the same as it is an always-edited file.</P> <P>I've tried with following settings in props.conf :<BR /> <CODE>[snmptrap]<BR /> SHOULD_LINEMERGE=False<BR /> TIME_PREFIX=<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{d}</CODE></P> <P>But still not getting the correct timestamp.<BR /> What am I doing wrong?</P> Mon, 18 Jun 2012 10:20:09 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77579#M15870 StefNighthawk 2012-06-18T10:20:09Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77580#M15871 <P>If you change your props.conf, it will not affect until you reboot splunk and re-index the data. And you do not need "LINE_BREAKER" setting when "SHOULD_LINEMERGE=false". </P> Mon, 28 Sep 2020 11:57:18 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77580#M15871 Takajian 2020-09-28T11:57:18Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77581#M15872 <P>I've restarted the entire server instead of the splunk service only.<BR /> Thus the log file has been recreated and with it it's modification time.<BR /> Currently I have no way to tell whether Splunk is using the file modification time or the timestamp.</P> <P>I already see that timestartpos and timeendpos have values.<BR /> The weird thing is that the timestamping went OK for more than two days and then suddenly stopped. Before I configured TIME*<EM><EM>FORMAT the timestartpos and timeendpos were (0,20), when timestamping broke their value became null and now with TIME</EM></EM>*FORMAT its (0,19).</P> <P>I hope timestamping will stay correct this time.</P> Mon, 28 Sep 2020 11:57:20 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77581#M15872 StefNighthawk 2020-09-28T11:57:20Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77582#M15873 <P>I think I can index your timestamp of the file by default setting. How did you log the snmptrap to the file? Does the file contains the timestamp as you described? </P> Mon, 18 Jun 2012 11:30:37 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77582#M15873 Takajian 2012-06-18T11:30:37Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77583#M15874 <P>I used snmptrapd from net-snmp to create a log-file locally on the splunk server. Each event in the file starts with the timestamp like <EM>2012-06-18 11:55:12</EM>. Until yesterday there was no problem using the default setting.<BR /> Once splunk started to use the file modification time instead of the timestamp events started to no longer be properly split.</P> Mon, 18 Jun 2012 11:50:34 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77583#M15874 StefNighthawk 2012-06-18T11:50:34Z https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77584#M15875 <P>It's strange. Please clean event at all, then try to re-index the file.</P> Mon, 18 Jun 2012 12:13:42 GMT https://community.splunk.com/t5/Getting-Data-In/problem-extracting-timestamps/m-p/77584#M15875 Takajian 2012-06-18T12:13:42Z