https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100976#M21152 <P>Were you ever able to solve this problem? I have the same problem in that I can't include the date in the source of incoming data</P> Mon, 30 May 2016 15:53:58 GMT ckdoan 2016-05-30T15:53:58Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100967#M21143 <P>I have a source that only contains the time of an event, not the date. It looks something like this:</P> <PRE><CODE>... 08:26:40 event1 08:26:41 event2 13:59:09 event3 13:59:12 event4 ... </CODE></PRE> <P>The order in the source is not by time but rather grouped by application specifics. When I try to index this splunk correctly recognizes the time based on my TIMESTAMP_FORMAT, but for each large skip forward as with event2 to event3 it skips <EM>back</EM> a day, so event2 gets inserted as April 19th 08:26:41 (correct), but event3 gets inserted as April *18*th 13:59:09. Fiddling with MAX_DIFF_SECS_AGO / _HENCE does not appear to help.</P> <P>Any ideas?</P> <P>Edit: I've dug through comparing an example file with the events in splunk, here's where the timestamp jumps occur:</P> <PRE><CODE>Event Source Splunk 1 18:23:50 18:23:50 April 18th 2 07:16:22 07:16:22 April 17th, jumped back one day 3 07:16:24 07:16:24 April 17th ... 754 08:49:08 08:49:08 April 17th 755 08:26:41 08:26:41 April 17th 756 13:59:09 13:59:09 April 16th, jumped back one day 757 13:59:12 13:59:12 April 16th ... 817 14:15:38 14:15:38 April 16th 818 08:27:35 08:27:35 April 16th, did not jump ... </CODE></PRE> <P>The jumps don't seem to follow a simple pattern. Event 1 to 2 was a time-gap backwards by 11 hours, this caused a jump. 755 to 756 was 5 hours <EM>forwards</EM>, jump again. 817 to 818 was backwards as 1 to 2 and more hours than 755 to 756, but no jump...</P> Mon, 28 Sep 2020 13:45:53 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100967#M21143 martin_mueller 2020-09-28T13:45:53Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100968#M21144 <P>Not having the date in the event means there's no guarantee's Splunk is going to get the date right. It also may be looking at something else in the event to determine the date.</P> <P>I suggest you set DATETIME_CONFIG = CURRENT in the props.conf and let splunk assign the timestamp.</P> <P>Brian</P> Fri, 19 Apr 2013 12:41:13 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100968#M21144 bosburn_splunk 2013-04-19T12:41:13Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100969#M21145 <P>I'll probably only get a batch of data once a day, so using the index time isn't going to work as long as there is no near-real-time connection. There are jumps back in time in the files as well, those don't seem to annoy splunk too much though...</P> <P>As for looking at something else in the event, the timestartpos and timeendpos are correct for every event, there are no occasional odd values - are those reliable for making sure nothing else is influencing the timestamp decision?</P> Fri, 19 Apr 2013 12:49:33 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100969#M21145 martin_mueller 2013-04-19T12:49:33Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100970#M21146 <P>I've added a bit more sample time data in case someone sees a pattern that I'm missing.</P> <P>For now the plan is to have a date inserted before pulling the data into Splunk.</P> Mon, 22 Apr 2013 11:40:32 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100970#M21146 martin_mueller 2013-04-22T11:40:32Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100971#M21147 <P>I'm making my data provider include the dates, too many skips in the time alone.</P> Thu, 02 May 2013 15:15:16 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100971#M21147 martin_mueller 2013-05-02T15:15:16Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100972#M21148 <P>I'm having the same issue. With the exception that I have a date at the top of the file. The events are labeled with a time. It seems that once Splunk has correctly identified the date in a file, it should use that date until another date is given. Here's test data that you can use to reproduce the issue.</P> <P>When the event jumps from hour 00 to hour 05, splunk changes the date to 1 day earlier? Which is a bit strange, as I don't know of any log that would write date's out of sequence.</P> <HR /> <P>18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE</P> <P>00:33:51.828 Adding dub job 263851 ...<BR /> 00:33:51.906 Trying to add<BR /> 00:59:15.281 Adding dub job 263853 ...<BR /> 00:59:15.359 Trying to add<BR /> 00:33:51.828 Adding dub job 263851 ...<BR /> 05:59:15.359 Trying to add</P> <H2>19/04/2013 - 00:00:09.812 - LOG CLOSED - CHANGE OF DATE</H2> Fri, 17 May 2013 16:40:42 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100972#M21148 cpt12tech 2013-05-17T16:40:42Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100973#M21149 <P>Thanks... I've solved my issue by simply making the providers of the data create a properly sorted and fully date-/timestamped source <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 17 May 2013 17:06:20 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100973#M21149 martin_mueller 2013-05-17T17:06:20Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100974#M21150 <P>Good to hear. I've checked to see if I can do the same, and the answer was no.</P> Fri, 17 May 2013 17:10:41 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100974#M21150 cpt12tech 2013-05-17T17:10:41Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100975#M21151 <P>As for what kind of log would create events out of sequence... no log at all. This was a prettified-for-viewing report from SAP that had events out of sequence because there was additional grouping. Now we're pulling raw data from underneath, feels much better as well...</P> Fri, 17 May 2013 17:37:01 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100975#M21151 martin_mueller 2013-05-17T17:37:01Z https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100976#M21152 <P>Were you ever able to solve this problem? I have the same problem in that I can't include the date in the source of incoming data</P> Mon, 30 May 2016 15:53:58 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamps-jump-back-a-day/m-p/100976#M21152 ckdoan 2016-05-30T15:53:58Z