https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20134#M2925 <P>when i created my sourcetype my-log i selected default timestamp, later i found out that in some events with more than one line, certaing timestamps are there. and because of these timestamps those events are considered seperately. <BR /> the mistake i did is while creating sourcetype i didn't check out the option <BR /> Format with a checkbox to Specify timestampformat (strptime)ex; %Y-%m-%d<BR /> if i check that option and give the format of the timestamp which is always at the beginning of the event i am able to get the correct event formats, now how to change it as i already crreated sourcetypes and indexed files ..<BR /> Thanks Bella</P> Tue, 05 Feb 2013 12:51:34 GMT bellaed 2013-02-05T12:51:34Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20134#M2925 <P>when i created my sourcetype my-log i selected default timestamp, later i found out that in some events with more than one line, certaing timestamps are there. and because of these timestamps those events are considered seperately. <BR /> the mistake i did is while creating sourcetype i didn't check out the option <BR /> Format with a checkbox to Specify timestampformat (strptime)ex; %Y-%m-%d<BR /> if i check that option and give the format of the timestamp which is always at the beginning of the event i am able to get the correct event formats, now how to change it as i already crreated sourcetypes and indexed files ..<BR /> Thanks Bella</P> Tue, 05 Feb 2013 12:51:34 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20134#M2925 bellaed 2013-02-05T12:51:34Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20135#M2926 <P>For the sourcetype, edit props.conf. That won't affect already indexed events though, those need to be re-indexed.</P> Tue, 05 Feb 2013 15:51:09 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20135#M2926 martin_mueller 2013-02-05T15:51:09Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20136#M2927 <P>If this is the time specified in the log <BR /> 2013-01-22 17:43:32<BR /> will TIME_FORMAT=%Y-%m-%d %H:%M:%S in props.conf is enough?<BR /> But still not able to read the _time,even for the newly indexed logs..<BR /> it displays date correctly but time is default to 12:00:00.000 AM for every log events</P> Wed, 06 Feb 2013 12:16:20 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20136#M2927 bellaed 2013-02-06T12:16:20Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20137#M2928 <P>Depending on your specific logs you may need to specify other timestamp configuration such as prefixes: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition</A></P> Wed, 06 Feb 2013 12:30:24 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20137#M2928 martin_mueller 2013-02-06T12:30:24Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20138#M2929 <P>log starts with the timestamp but there are time in between which specifies some time point or earlier event happened time etc, splunk will read in between time and take those events as separate events<BR /> so give some prefixes for timestamps</P> Wed, 06 Feb 2013 12:55:36 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20138#M2929 smolcj 2013-02-06T12:55:36Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20139#M2930 <P>As i already stated, there isn't anything before the time. Events should start with time.<BR /> Providing sample events for more clarification:<BR /> 2012-10-24 15:39:48 : INFO :Num CPUs = 12<BR /> 2012-10-24 15:39:48 : INFO :Pentium processor<BR /> 2012-10-24 15:39:48 : INFO :nifaces = 5<BR /> 2012-10-24 15:39:48 : INFO :iface name [lo]<BR /> 2012-10-24 15:39:48 : INFO :checking..<BR /> license checking started<BR /> checking started at <STRONG>24/10/2012</STRONG> 15:39:48<BR /> license field: [Product][blabla]<BR /> [certain numbers]: <BR /> license field: [Chicago Trading]<BR /> [key]: <BR /> license field: [Expiration-Date][never]<BR /> [key]: <BR /> license field: [License-Key][pdct key]</P> <P>license parsed key [secretkey]</P> <P>Time in the event in bold is considered as new event. Actually it is the continuation of previous event. How to skip reading second timestamp? </P> Thu, 07 Feb 2013 07:10:48 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20139#M2930 bellaed 2013-02-07T07:10:48Z https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20140#M2931 <P>Based on the example from your non-answer, try this setting in props.conf under your sourcetype:</P> <PRE><CODE>MAX_TIMESTAMP_LOOKAHEAD=20 </CODE></PRE> <P>Using only that, the remaining default values give me one event per row at first, and one long event starting with the "checking.." row.</P> Thu, 07 Feb 2013 08:09:31 GMT https://community.splunk.com/t5/Getting-Data-In/edit-sourcetype-settings/m-p/20140#M2931 martin_mueller 2013-02-07T08:09:31Z