https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229203#M44592 <P>Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.</P> Mon, 27 Jun 2016 15:36:17 GMT tkwaller 2016-06-27T15:36:17Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229199#M44588 <P>Hello</P> <P>I'm having an issue with timestamping for my WinRegistry data.<BR /> I don't know whether by design, or for some other reason, the timestamp in the logs are as such:</P> <PRE><CODE>11/02/11154 14:24:53.046 </CODE></PRE> <P>which of course is interpreted incorrectly. These Universal Forwarders forward to a cluster of Heavy Forwarders where an app SHOULD set the timestamp:</P> <PRE><CODE>[WinRegistry] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>but this does not seem to be the case as I have logs that go back to 1969 and forward to 2032.</P> <P>Any ideas on where the issue may be?</P> <P>Thanks for the thoughts</P> Fri, 24 Jun 2016 16:13:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229199#M44588 tkwaller 2016-06-24T16:13:12Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229200#M44589 <P>Your <CODE>sourcetype</CODE> must match <EM>EXACTLY</EM>; does it? You must restart your Splunk instance on the server where you changed this setting.</P> <P>I would not use this approach, though; I would use <CODE>SEDCMD</CODE> to rewrite the timestamp with this:</P> <PRE><CODE>s/^(\d+\/\d+)\/1115/\1\/2014/ </CODE></PRE> <P>You will have to fix this every New-Year's Eve (or until you can get the log writer/formatter fixed).</P> Fri, 24 Jun 2016 16:50:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229200#M44589 woodcock 2016-06-24T16:50:23Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229201#M44590 <P>Yeah they match, in the app on the UF its:<BR /> [source::....winregistry]<BR /> sourcetype = WinRegistry</P> <P>in the props on the HF the stanza is:<BR /> [WinRegistry]<BR /> DATETIME_CONFIG = CURRENT</P> Fri, 24 Jun 2016 19:09:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229201#M44590 tkwaller 2016-06-24T19:09:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229202#M44591 <P>Did you restart splunk instances?</P> Fri, 24 Jun 2016 20:31:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229202#M44591 woodcock 2016-06-24T20:31:48Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229203#M44592 <P>Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.</P> Mon, 27 Jun 2016 15:36:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229203#M44592 tkwaller 2016-06-27T15:36:17Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229204#M44593 <P>I actually have a webex with support on this today. I believe that there's an issue with linebreaking and its inserting values where they should not be and its affecting the timestamp.<BR /> Thanks for looking at it!</P> Wed, 13 Jul 2016 12:31:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-configure-my-heavy-forwarders-to-parse-the-timestamp/m-p/229204#M44593 tkwaller 2016-07-13T12:31:32Z