https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238124#M46258 <P>Your <CODE>TIME_FORMAT</CODE> should be <CODE>%m-%d-%Y %H:%M:%S.%3N</CODE>, possibly plus timezone info if the <CODE>+00</CODE> refers to UTC.<BR /> After setting that, make sure you restart Splunk and only look at newly indexed events - existing ones won't change.</P> Tue, 08 Mar 2016 21:48:18 GMT martin_mueller 2016-03-08T21:48:18Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238123#M46257 <P>I have the following log and need splunk to grab the second timestamp instead of the first. I have tried adjusting props.conf as shown below as well.</P> <PRE><CODE>Task Update Application Available Targeting is due at Wednesday 03/09/2016 00:00:00 $$&lt;SMS_DATABASE_NOTIFICATION_MONITOR&gt;&lt;03-08-2016 19:00:26.917+00&gt;&lt;thread=6760 (0x1A68)&gt; </CODE></PRE> <P>Props.conf</P> <PRE><CODE>[server_log] TIME_PREFIX = &gt;&lt; TIME_FORMAT = %m-%d-%y %H:%M:%S. </CODE></PRE> Tue, 08 Mar 2016 21:44:24 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238123#M46257 hlarimer 2016-03-08T21:44:24Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238124#M46258 <P>Your <CODE>TIME_FORMAT</CODE> should be <CODE>%m-%d-%Y %H:%M:%S.%3N</CODE>, possibly plus timezone info if the <CODE>+00</CODE> refers to UTC.<BR /> After setting that, make sure you restart Splunk and only look at newly indexed events - existing ones won't change.</P> Tue, 08 Mar 2016 21:48:18 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238124#M46258 martin_mueller 2016-03-08T21:48:18Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238125#M46259 <P>Thanks Martin, I added those changes but I'm still getting the first timestamp instead of the second. I added the changes last night and then restarted the splunk forwarder. Do you think the TIME_PREFIX is correctly?</P> Wed, 09 Mar 2016 13:46:55 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238125#M46259 hlarimer 2016-03-09T13:46:55Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238126#M46260 <P>Setting those two things works for me:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1114iB357D40A3A1ACAF6/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 09 Mar 2016 20:07:53 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238126#M46260 martin_mueller 2016-03-09T20:07:53Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238127#M46261 <P>Maybe I have this set in the incorrect place then, I have it in props.conf on the UF, should it actually be on the SH?</P> Wed, 09 Mar 2016 20:33:34 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238127#M46261 hlarimer 2016-03-09T20:33:34Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238128#M46262 <P>It should be on the instance that performs the parsing: <A href="http://wiki.splunk.com/Community:HowIndexingWorks">http://wiki.splunk.com/Community:HowIndexingWorks</A></P> <P>Usually that's the indexers, sometimes heavy forwarders, only very rarely (e.g. INDEXED_EXTRACTIONS) universal forwarders, also rarely search heads (e.g. combined search head with DB Connect, modular inputs, etc).</P> Wed, 09 Mar 2016 20:39:32 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238128#M46262 martin_mueller 2016-03-09T20:39:32Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238129#M46263 <P>Thanks Martin, it looks like moving it to indexers took care of it! That was my mistake, I was thinking that timestamp extraction happened earlier.</P> Thu, 10 Mar 2016 14:03:25 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238129#M46263 hlarimer 2016-03-10T14:03:25Z https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238130#M46264 <P>Great - don't forget to mark the answer as accepted.</P> Thu, 10 Mar 2016 19:33:37 GMT https://community.splunk.com/t5/Getting-Data-In/Incorrect-Timestamp/m-p/238130#M46264 martin_mueller 2016-03-10T19:33:37Z