https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305021#M57510 <P>You need this setting, too:</P> <PRE><CODE>TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%z </CODE></PRE> Thu, 30 Mar 2017 03:49:37 GMT woodcock 2017-03-30T03:49:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305019#M57508 <P>I have the following event being sent from a Universal Forwarder (UF) syslog server to a standalone instance of Splunk: </P> <PRE><CODE>4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityc5e81075-f14f-11e3-9b1e-123478563412/cd4c5993-11b0-11e4-92a9-123478563412134.82.79.10S-1-5-21-2136110353-913448559-1712093940-13349falseBUCKNELLleisnhth-aSecurityFile00000000000466;00;015ce358;514e6b60(netspace_departments);/isr/public/www2/bu_only/AICT/images/oversize/IRM195.jpg%%4423 %%1538 2080Read Attributes; Read ACL; </CODE></PRE> <P>The data is obviously in an XML format. I created a subdirectory within $SPLUNK_HOME/etc/deployment-apps/IA-naaudit and in the default dir I have an inputs.conf: </P> <PRE><CODE>[monitor:///var/log/rsyslogs/Netapp/audit_svm_netspace_last.xml] index = netapp sourcetype = audit _TCP_ROUTING = dev_splunk </CODE></PRE> <P>and an outputs.conf </P> <PRE><CODE>[tcpout:dev_splunk] server = sptest:9996 </CODE></PRE> <P>I manually replicated these dirs and files on the UF in /opt/splunkforwarder/etc/apps/ </P> <P>I am now receiving the event data shown above. </P> <P>On the standalone instance I created the dir $SPLUNK_HOME/etc/deployment-apps/TA-naaudit and in the local dir I created <BR /> props.conf: </P> <PRE><CODE>[netapp] KV_MODE = xml TIME_PREFIX = \ntscripts\&lt; DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Here is my problem: from the event you can see that it should have the timestamp "2017-03-27T16:18:55.218021000Z". When I do a search on index=netapp this event (along with a gazillion others) it gets the time stamp "3/27/17 12:40:40.000 PM" which is incorrect. </P> <P>Also, I'm trying to drop the events with the user "ntscripts" but they show up in the search as well. </P> <P>Can you tell me where I'm going wrong? </P> <P>Thanks, <BR /> Mike</P> Wed, 29 Mar 2017 18:24:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305019#M57508 dahlberg 2017-03-29T18:24:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305020#M57509 <P>The directory $SPLUNK_HOME/etc/deployment-apps is for storing the deployment app that you push if your current server is a deployment server. Since you copied the app IA-naaudit with inputs.conf manually on UF, that was fine. You need to place the $SPLUNK_HOME/etc/deployment-apps/TA-naaudit in $SPLUNK_HOME/etc/apps/TA-naaudit directory, place from where your standalone Splunk instance will read/load the configuration.</P> Tue, 29 Sep 2020 13:25:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305020#M57509 somesoni2 2020-09-29T13:25:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305021#M57510 <P>You need this setting, too:</P> <PRE><CODE>TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9N%z </CODE></PRE> Thu, 30 Mar 2017 03:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305021#M57510 woodcock 2017-03-30T03:49:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305022#M57511 <P>Thanks. I used btool and found I wasn't loading that particular props.conf file.</P> Thu, 30 Mar 2017 14:06:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-correct-an-incorrect-time-value/m-p/305022#M57511 dahlberg 2017-03-30T14:06:56Z