https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210212#M41399 <P>The stanza you need to change in props.conf will be named after the sourcetype of the data. </P> <P>I'm making comment on renjith.nair's response because if you read the documentation you'll understand this. However i'm also giving you the answer here:</P> <P>[sourcetypeName]<BR /> TIME_PREFIX = ^<BR /> TIME_FORMAT = %s%3n</P> <P>Finally, I must also note this looks like web traffic logs which splunk already has many sourcetypes preconfigured for. You might benefit more by using the IIS logs or Apache logs sourcetypes.</P> Tue, 29 Sep 2020 08:13:31 GMT jkat54 2020-09-29T08:13:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210209#M41396 <P>I have an index which is not timestamping the events. I looked in the Docs and it said I have to define it in my props.conf </P> <P>If this is true, can someone help me with the correct stanza? </P> <P>Here's what a few of my non-timestamped events look like </P> <PRE><CODE>1451406708913 172.xx.xx.xx - 160195 98610 3.12 1.19 200 21105 0 8 /graph?node=10904&amp;profiles=roomsOnly 1451406708879 172.xx.xx.xx - 160194 13073 4.50 3.69 200 6 0 8 /graph?node=10930 </CODE></PRE> Tue, 29 Dec 2015 16:43:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210209#M41396 skoelpin 2015-12-29T16:43:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210210#M41397 <P>Try this</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition</A></P> <P>More read : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/HowSplunkextractstimestamps">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/HowSplunkextractstimestamps</A></P> Tue, 29 Dec 2015 16:54:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210210#M41397 renjith_nair 2015-12-29T16:54:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210211#M41398 <P>I read those docs before posting here.. It looks like the timestamp is being assigned to some hosts in that index and not assigning a timestamp to other hosts </P> <P>How do I get a timestamp on ALL hosts? </P> Tue, 29 Dec 2015 17:02:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210211#M41398 skoelpin 2015-12-29T17:02:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210212#M41399 <P>The stanza you need to change in props.conf will be named after the sourcetype of the data. </P> <P>I'm making comment on renjith.nair's response because if you read the documentation you'll understand this. However i'm also giving you the answer here:</P> <P>[sourcetypeName]<BR /> TIME_PREFIX = ^<BR /> TIME_FORMAT = %s%3n</P> <P>Finally, I must also note this looks like web traffic logs which splunk already has many sourcetypes preconfigured for. You might benefit more by using the IIS logs or Apache logs sourcetypes.</P> Tue, 29 Sep 2020 08:13:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210212#M41399 jkat54 2020-09-29T08:13:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210213#M41400 <P>Please explain what is meant by ALL hosts?</P> <P>Do you have some hosts which are sending this data in without the correct timestamps? If so check that props.conf is on every indexer and forwarder that is sending the data in, even the universal forwarders.</P> Tue, 29 Dec 2015 17:22:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Timestamp-Events/m-p/210213#M41400 jkat54 2015-12-29T17:22:15Z