topic Splunk is ignoring timestamp and using indexing time in Getting Data In

Splunk is ignoring timestamp and using indexing time

colin_ewen — Tue, 27 Sep 2011 13:13:27 GMT

I'm running into an issue with Splunk ignoring the timestamp in a specific log and just using current indexing time. Example extract(XXXX and #### replace letters and numbers)

[2011-09-27-04-03-54][XXXX::IA::Actions][####]: BUYER_EMAIL_INVOICES_ADDRESS: []

[2011-09-27-04-03-54][XXXX::IA::Actions][####]: BUYER_LANGUAGE_ID: [25]

[2011-09-27-04-03-54][XXXX::IA::Actions][####]: BUYER_DATE_FORMAT_ID: [1]

Format is %Y-%m-%d-%H-%M-%S

I've attempted the below dateformat to resolve this (there is a backslash escaping the [ below, it's being removed):

TIME_PREFIX = [

TIME_FORMAT = %Y-%m-%d-%H-%M-%S

Unfortunately, no luck, and it's still showing up with the indexing time.

Any help on this? I'm running into a wall.

Re: Splunk is ignoring timestamp and using indexing time

gkanapathy — Tue, 27 Sep 2011 15:07:27 GMT

Where exactly did you place these lines of configuration?

Re: Splunk is ignoring timestamp and using indexing time

colin_ewen — Tue, 27 Sep 2011 15:08:51 GMT

I added them to the props.conf on the forwarder. Should the props.conf be added to the indexer too, or just the forwarder?

Re: Splunk is ignoring timestamp and using indexing time

gkanapathy — Tue, 27 Sep 2011 15:10:44 GMT

Probably: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

Re: Splunk is ignoring timestamp and using indexing time

colin_ewen — Tue, 27 Sep 2011 15:28:47 GMT

I've adjusted props.conf on the backend, but it did not work properly. At this point, it now groups them into chunks of 16 lines as a single event and continues to give them the wrong timestamp.

Re: Splunk is ignoring timestamp and using indexing time

_d_ — Mon, 03 Oct 2011 22:23:08 GMT

Colin, try placing a ^ (to indicate the beginning of the line) in front of the backslash escaping your left bracket in TIME_PREFIX.