https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361114#M65867 <P>Hi a212830,<BR /> for me the best approach to a timestamp problem is to download an example of your log in a file and try to ingest it using the Splunk web gui.<BR /> In this way you can immediately check your configurations and verify problems.</P> <P>In your specific situation, the problem could be in <CODE>MAX_TIMESTAMP_LOOKAHEAD=18</CODE> and <CODE>TIME_PREFIX=\d+\s\w+\s</CODE></P> <P>Bye.<BR /> Giuseppe</P> Wed, 03 May 2017 15:37:47 GMT gcusello 2017-05-03T15:37:47Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361113#M65866 <P>Hi,</P> <P>I have the following data coming in:</P> <PRE><CODE>10009 SYSTEM 03/05/17 11:12:44 Info Message Partner MQCACTUSOUT, Session 611 - Message sent Sequence number : 242034 UUMID : OCHASUS33XXX9002556093123JY Suffix : 1705031356750 - lrtAZ842 </CODE></PRE> <P>The problem is, instead of interpresting the date as May 3rd, it's being interpreted as March 5th. My props has the following, which looks correct to me. </P> <PRE><CODE>[swift_alarmsmsgs] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true ANNOTATE_PUNCT=false KV_MODE=auto LINE_BREAKER = ([\r\n]+)\d{5} TIME_FORMAT = %d/%m/%y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=50 </CODE></PRE> Wed, 03 May 2017 15:17:03 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361113#M65866 a212830 2017-05-03T15:17:03Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361114#M65867 <P>Hi a212830,<BR /> for me the best approach to a timestamp problem is to download an example of your log in a file and try to ingest it using the Splunk web gui.<BR /> In this way you can immediately check your configurations and verify problems.</P> <P>In your specific situation, the problem could be in <CODE>MAX_TIMESTAMP_LOOKAHEAD=18</CODE> and <CODE>TIME_PREFIX=\d+\s\w+\s</CODE></P> <P>Bye.<BR /> Giuseppe</P> Wed, 03 May 2017 15:37:47 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361114#M65867 gcusello 2017-05-03T15:37:47Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361115#M65868 <P>Upvote for likely correct TIME_PREFIX to fix the OP's issue.</P> Wed, 03 May 2017 16:23:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361115#M65868 DalJeanis 2017-05-03T16:23:46Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361116#M65869 <P>Agreed. I was gonna say <CODE>TIME_PREFIX</CODE> as well. </P> Mon, 08 May 2017 13:03:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-timestamp-not-being-recognized/m-p/361116#M65869 sloshburch 2017-05-08T13:03:13Z