<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Issues with timestamps in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38943#M7213</link>
    <description>&lt;P&gt;Have you experimented with &lt;CODE&gt;MAX_TIMESTAMP_LOOKAHEAD&lt;/CODE&gt; and &lt;CODE&gt;TIME_PREFIX&lt;/CODE&gt; as well?  These two help to key Splunk in on a specific area of the event text for which to apply your &lt;CODE&gt;TIME_FORMAT&lt;/CODE&gt;.  &lt;/P&gt;

&lt;P&gt;If you can provide some sample (redacted) data, that could help narrow down why Splunk isn't picking up the time like you were expecting.&lt;/P&gt;

&lt;P&gt;You could always pop on #splunk on EFNet IRC and discuss this there. Again, with some sample data, this should be fairly easy to work out.&lt;/P&gt;</description>
    <pubDate>Thu, 07 Jul 2011 15:46:12 GMT</pubDate>
    <dc:creator>dwaddle</dc:creator>
    <dc:date>2011-07-07T15:46:12Z</dc:date>
    <item>
      <title>Issues with timestamps</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38942#M7212</link>
      <description>&lt;P&gt;I'm trying to get Splunk to index the output from the Connect:Enterprise cmulist command. I run the command periodically and filter out the rubbish just leaving me with the lines that count. This gives me one line per entry and with the following date format from around character 65.&lt;/P&gt;

&lt;P&gt;11/07/06-07:00 &lt;/P&gt;

&lt;P&gt;This is yy/mm/dd-HH:MM so I've set TIME_FORMAT for this data source to %y/%m/%d-%H:%M. This appeared to be working but I noticed some missing records and finally found them away in 2006.&lt;/P&gt;

&lt;P&gt;I set the TIME_FORMAT value in my etc/system/local/props.conf.&lt;/P&gt;

&lt;P&gt;I'm also seeing that occasionally it doesn't bother using the date/time in the record instead it uses current time. It then clumps all of the lines together in a single entry.&lt;/P&gt;

&lt;P&gt;Anyone any tips on how I fix these problems, short of using perl to reformat the input into a format that Splunk can reliably process?&lt;/P&gt;</description>
      <pubDate>Thu, 07 Jul 2011 07:21:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38942#M7212</guid>
      <dc:creator>MickSheppard</dc:creator>
      <dc:date>2011-07-07T07:21:24Z</dc:date>
    </item>
    <item>
      <title>Re: Issues with timestamps</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38943#M7213</link>
      <description>&lt;P&gt;Have you experimented with &lt;CODE&gt;MAX_TIMESTAMP_LOOKAHEAD&lt;/CODE&gt; and &lt;CODE&gt;TIME_PREFIX&lt;/CODE&gt; as well?  These two help to key Splunk in on a specific area of the event text for which to apply your &lt;CODE&gt;TIME_FORMAT&lt;/CODE&gt;.  &lt;/P&gt;

&lt;P&gt;If you can provide some sample (redacted) data, that could help narrow down why Splunk isn't picking up the time like you were expecting.&lt;/P&gt;

&lt;P&gt;You could always pop on #splunk on EFNet IRC and discuss this there. Again, with some sample data, this should be fairly easy to work out.&lt;/P&gt;</description>
      <pubDate>Thu, 07 Jul 2011 15:46:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38943#M7213</guid>
      <dc:creator>dwaddle</dc:creator>
      <dc:date>2011-07-07T15:46:12Z</dc:date>
    </item>
    <item>
      <title>Re: Issues with timestamps</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38944#M7214</link>
      <description>&lt;P&gt;I played with MAX_DAYS_AGO and MAX_DAYS_HENCE and now it seems to be working without any issues.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 09:43:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issues-with-timestamps/m-p/38944#M7214</guid>
      <dc:creator>MickSheppard</dc:creator>
      <dc:date>2020-09-28T09:43:35Z</dc:date>
    </item>
  </channel>
</rss>

