<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Timestamp issue in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402826#M71600</link>
    <description>&lt;P&gt;Thanks &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/68181"&gt;@DavidHourani&lt;/a&gt; &lt;BR /&gt;
I tried setting  MAX_DAYS_AGO = 10 in props.conf&lt;BR /&gt;
but now 2008 year showing as it is and 2019 years showing it as 2009 year ...kindly help here&lt;/P&gt;</description>
    <pubDate>Wed, 30 Sep 2020 01:25:40 GMT</pubDate>
    <dc:creator>ips_mandar</dc:creator>
    <dc:date>2020-09-30T01:25:40Z</dc:date>
    <item>
      <title>Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402823#M71597</link>
      <description>&lt;P&gt;I have below sample events in log file-&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;2019-07-19|23:02:24.213|TEST|XYZ|Test1
2019-07-19|23:02:24.213|TEST|XYZ|Test2
2008-12-31|19:01:22.265|TEST|XYZ|Test3
2008-12-31|19:01:22.359|TEST|XYZ|Test4
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Here it can be seen that few of last events are coming for Year 2008 due to which my all events are becoming of 2008 year in splunk although i mentioned time format/time prefix and by default MAX_DAYS_AGO is 5.48 years so it should not index these events ..below is my props.conf-&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[sample_st]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
disabled = false
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d|%H:%M:%S.%3N
TRANSFORMS-set= setnull,setparsing,replacedefaultsource
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 30 Sep 2020 01:25:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402823#M71597</guid>
      <dc:creator>ips_mandar</dc:creator>
      <dc:date>2020-09-30T01:25:34Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402824#M71598</link>
      <description>&lt;P&gt;Hey.&lt;/P&gt;

&lt;P&gt;I don't see a MAX_DAYS_AGO in your props.conf stanza provided. Also, according to the props.conf that setting does &lt;STRONG&gt;not&lt;/STRONG&gt; prevent old data from being indexed.&lt;/P&gt;

&lt;P&gt;To exclude such events, you'd need a transform to send those events to the nullQueue (based on a regex that sends all events to nothing that will match, basically).&lt;/P&gt;

&lt;P&gt;There are quite a few posts about how to do this out there. E.g. &lt;A href="https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html" target="_blank"&gt;https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Skalli&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 01:25:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402824#M71598</guid>
      <dc:creator>skalliger</dc:creator>
      <dc:date>2020-09-30T01:25:37Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402825#M71599</link>
      <description>&lt;P&gt;Hi @ips_mandar,&lt;/P&gt;

&lt;P&gt;Try setting it to  a smaller value. It should fix it. Set it to 10 for example for that sourcetype :&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;MAX_DAYS_AGO = 10
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Edit:&lt;BR /&gt;
Here's the definition for this setting, so your older events will only be indexed with a newer date instead, not ignored though :&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;* Splunk software still indexes events with dates older than 'MAX_DAYS_AGO'
  with the timestamp of the last acceptable event.
* If no such acceptable event exists, new events with timestamps older
  than 'MAX_DAYS_AGO' uses the current timestamp.
* For example, if MAX_DAYS_AGO = 10, Splunk software applies the timestamp
  of the last acceptable event to events with extracted timestamps older
  than 10 days in the past. If no acceptable event exists, Splunk software
  applies the current timestamp.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If you wish to ignore those events completely you can use sed-cmd to filter out any event starting with that 2008 year.&lt;/P&gt;

&lt;P&gt;Best regards,&lt;BR /&gt;
David&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jul 2019 07:42:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402825#M71599</guid>
      <dc:creator>DavidHourani</dc:creator>
      <dc:date>2019-07-22T07:42:43Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402826#M71600</link>
      <description>&lt;P&gt;Thanks &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/68181"&gt;@DavidHourani&lt;/a&gt; &lt;BR /&gt;
I tried setting  MAX_DAYS_AGO = 10 in props.conf&lt;BR /&gt;
but now 2008 year showing as it is and 2019 years showing it as 2009 year ...kindly help here&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 01:25:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402826#M71600</guid>
      <dc:creator>ips_mandar</dc:creator>
      <dc:date>2020-09-30T01:25:40Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402827#M71601</link>
      <description>&lt;P&gt;Thanks &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/203859"&gt;@skalliger&lt;/a&gt; &lt;BR /&gt;
I am already using nullqueue and indexqueue  ...and also now I tried MAX_DAYS_AGO = 10 in props.conf&lt;BR /&gt;
but now 2008 year showing as it is and 2019 years showing it as 2009 year ...kindly help here&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 01:25:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402827#M71601</guid>
      <dc:creator>ips_mandar</dc:creator>
      <dc:date>2020-09-30T01:25:43Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402828#M71602</link>
      <description>&lt;P&gt;First event into Splunk should be the 2019 year. If you want to get rid of the 2008 altogether then just add this to your sourcetype :&lt;BR /&gt;
&lt;CODE&gt;SEDCMD-test = s/2008.+//g&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jul 2019 09:07:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402828#M71602</guid>
      <dc:creator>DavidHourani</dc:creator>
      <dc:date>2019-07-22T09:07:50Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402829#M71603</link>
      <description>&lt;P&gt;Thanks&lt;BR /&gt;
Yes first event in file which I am monitoring is 2019 year still it is changing to 2009 year and how splunk will monitor file top to bottom?&lt;BR /&gt;
for sedcmd there can be possibility of 2007/2006 or any  year as well so I can not hard code it in sedcmd.&lt;/P&gt;

&lt;P&gt;Why it is showing me 2009 year ?if require I can share you exact file on email.&lt;BR /&gt;
Thanks&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jul 2019 09:49:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402829#M71603</guid>
      <dc:creator>ips_mandar</dc:creator>
      <dc:date>2019-07-22T09:49:51Z</dc:date>
    </item>
    <item>
      <title>Re: Timestamp issue</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402830#M71604</link>
      <description>&lt;P&gt;Show us your transforms.conf doing the nullQueue sampling. Basically, you need a REGEX matching on the years you want to discard.&lt;BR /&gt;
With an example event, we might be able to help here.&lt;/P&gt;

&lt;P&gt;Skalli&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jul 2019 12:18:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Timestamp-issue/m-p/402830#M71604</guid>
      <dc:creator>skalliger</dc:creator>
      <dc:date>2019-07-25T12:18:51Z</dc:date>
    </item>
  </channel>
</rss>

