https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315457#M59023 <P>See this</P> <P><A href="https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html">https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html</A></P> Tue, 23 May 2017 14:57:01 GMT somesoni2 2017-05-23T14:57:01Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315455#M59021 <P>Hi,everyone.</P> <P>My raw log is like this:<BR /> 2017-05-22 01:00:01 dst:100.100.100.2 src:118.32.120.110 port:60046 count:6<BR /> 2017-05-22 01:00:01 dst:100.100.100.2 src:118.32.120.91 port:38026 count:2<BR /> 2017-05-22 01:00:01 dst:100.100.100.2 src:118.43.104.16 port:33967 count:2<BR /> 2017-05-22 01:00:01 dst:100.100.100.2 src:119.1.109.17 port:43973 count:3</P> <P>And the count of raw log is 409767.<BR /> All of the time is 2017/05/22 01:00:01 in raw log.<BR /> But splunk extract timestamp is 2017/05/22 01:00:01 2017/05/22 01:00:02 2017/05/22 01:00:03 2017/05/22 01:00:04 2017/05/22 01:00:05<BR /> I use this search comand "sourcetype=test |stats count by _time",and got this result.<BR /> _time count<BR /> 2017/05/22 01:00:01 100000<BR /> 2017/05/22 01:00:02 100000<BR /> 2017/05/22 01:00:03 100000<BR /> 2017/05/22 01:00:04 100000<BR /> 2017/05/22 01:00:05 9767</P> <P>I have set TIME_FORMAT=%Y-%m-%d %H:%M:%S in props.conf,but doesn`t work.<BR /> I also use this "sourcetype=test | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S") "<BR /> The timestamp return aN/NaN/NaN NaN:NaN:NaN.000<BR /> Anyone know how to solve this issue?<BR /> Thanks.</P> Tue, 29 Sep 2020 14:14:03 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315455#M59021 perlish 2020-09-29T14:14:03Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315456#M59022 <P>The time format logic should Work. Just tested as below</P> <PRE><CODE>|makeresults | eval _time="2017-05-22 01:00:01" | eval myEpoch=strptime(_time,"%Y-%m-%d %H:%M:%S")| eval reConvertTime=strftime(myEpoch,"%FT%T") </CODE></PRE> <P>In your props Try putting and restarting Splunk</P> <PRE><CODE>TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD=32 </CODE></PRE> Tue, 23 May 2017 14:55:09 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315456#M59022 koshyk 2017-05-23T14:55:09Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315457#M59023 <P>See this</P> <P><A href="https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html">https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html</A></P> Tue, 23 May 2017 14:57:01 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315457#M59023 somesoni2 2017-05-23T14:57:01Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315458#M59024 <P>Props you have defined, is it under search or your custom app?</P> Tue, 23 May 2017 17:10:16 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315458#M59024 akocak 2017-05-23T17:10:16Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315459#M59025 <P>Solved. Thank you so much.</P> Wed, 24 May 2017 01:59:14 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315459#M59025 perlish 2017-05-24T01:59:14Z https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315460#M59026 <P>Still doesn`t work, it should be splunk limit.<BR /> <A href="https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html">https://answers.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond.html</A></P> Wed, 24 May 2017 02:00:03 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-extract-incorrect-time/m-p/315460#M59026 perlish 2017-05-24T02:00:03Z