<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why are multiple timestamps in the same log message causing an issue with Splunk event time? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421737#M74166</link>
    <description>&lt;P&gt;Try adding &lt;CODE&gt;TIME_PREFIX = ^&lt;/CODE&gt; to props.conf.&lt;/P&gt;</description>
    <pubDate>Mon, 03 Dec 2018 21:33:38 GMT</pubDate>
    <dc:creator>richgalloway</dc:creator>
    <dc:date>2018-12-03T21:33:38Z</dc:date>
    <item>
      <title>Why are multiple timestamps in the same log message causing an issue with Splunk event time?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421736#M74165</link>
      <description>&lt;P&gt;We have our application logs which are being monitored using a universal forwarder and below is the sample message , where same log messages will have &lt;STRONG&gt;multiple dates&lt;/STRONG&gt; for better tracing.&lt;/P&gt;

&lt;P&gt;The Issue is, sporadically, time stamps in the actual JSON  "dateCreated"  and "shipDate" are considered as start of the Splunk events instead of the actual time of the event occurred . i.e below sample message in the Splunk search is shown with "_time" filed as "2018-12-03T12:00:00" instead of "2018-12-03T15:06:42". &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;2018-12-03T15:06:42,298 [[my-application].endpointsFlow.stage1.4150] INFO com.xxx.yyy.zzz - Processing Mesage
 Message:{
  "dateCreated": "2018-12-03T12:00:00Z",
  "shipDate": "2018-12-03T12:00:00Z",
   "XXX" :"YYYY"
  }
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;We tried to explicit set the below configuration in &lt;STRONG&gt;prop.conf&lt;/STRONG&gt; , however this doesnt have any effect on the behavior.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[test:app]
REPORT-app = test-app, test-app2
BREAK_ONLY_BEFORE=^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}
MAX_TIMESTAMP_LOOKAHEAD = 25
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Any pointer would be really helpful  , thanks in advance.&lt;/P&gt;</description>
      <pubDate>Mon, 03 Dec 2018 21:22:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421736#M74165</guid>
      <dc:creator>sarathdsc</dc:creator>
      <dc:date>2018-12-03T21:22:35Z</dc:date>
    </item>
    <item>
      <title>Re: Why are multiple timestamps in the same log message causing an issue with Splunk event time?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421737#M74166</link>
      <description>&lt;P&gt;Try adding &lt;CODE&gt;TIME_PREFIX = ^&lt;/CODE&gt; to props.conf.&lt;/P&gt;</description>
      <pubDate>Mon, 03 Dec 2018 21:33:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421737#M74166</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2018-12-03T21:33:38Z</dc:date>
    </item>
    <item>
      <title>Re: Why are multiple timestamps in the same log message causing an issue with Splunk event time?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421738#M74167</link>
      <description>&lt;P&gt;Thanks for quick reply, Sure , will try that. &lt;BR /&gt;
So in our case there is a possibility that "MAX_TIMESTAMP_LOOKAHEAD" fall back doesn't have any effect as indexer started looking for "empty String" location (TIME_PREFIX  default )+ max 25 character ahead for &lt;EM&gt;timestamp&lt;/EM&gt; which could be anywhere in the payload?Am i reading this right?&lt;/P&gt;

&lt;P&gt;fyi ..Below search is still returning so many results&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;search * | where timestartpos&amp;gt;=25 | top  timestartpos
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 22:16:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421738#M74167</guid>
      <dc:creator>sarathdsc</dc:creator>
      <dc:date>2020-09-29T22:16:56Z</dc:date>
    </item>
    <item>
      <title>Re: Why are multiple timestamps in the same log message causing an issue with Splunk event time?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421739#M74168</link>
      <description>&lt;P&gt;This does not help us , we still have the same time format issues event after adding &lt;CODE&gt;TIME_PREFIX = ^&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Below are the current configurations. Is there any possibly that any other property/configuration some where else causes these properties not to take effect.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;BREAK_ONLY_BEFORE=^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^

 search * | where timestartpos&amp;gt;=25 | top  timestartpos , still returns so many results
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 04 Dec 2018 15:05:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421739#M74168</guid>
      <dc:creator>sarathdsc</dc:creator>
      <dc:date>2018-12-04T15:05:09Z</dc:date>
    </item>
    <item>
      <title>Re: Why are multiple timestamps in the same log message causing an issue with Splunk event time?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421740#M74169</link>
      <description>&lt;P&gt;I hope one of this should work, if not you need to check if there is a space at the beginning of each event..&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[test:app]
NO_BINARY_CHECK = true
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25

[test:app]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3})
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 04 Dec 2018 19:21:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-are-multiple-timestamps-in-the-same-log-message-causing-an/m-p/421740#M74169</guid>
      <dc:creator>prakash007</dc:creator>
      <dc:date>2018-12-04T19:21:50Z</dc:date>
    </item>
  </channel>
</rss>

