https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458138#M79189 <P>Hi,</P> <P>I'm having some issues getting a feeds timestamp picked up properly. The date field comes in like this: <CODE>"date": "8/15/2019 10:55:16 AM"</CODE>. My props has this, which isn't working. </P> <PRE><CODE>TZ = UTC TIME_FORMAT = %m/%d/%Y %I:%M:%S %p TIME_PREFIX = "date": " </CODE></PRE> Wed, 21 Aug 2019 16:55:19 GMT a212830 2019-08-21T16:55:19Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458138#M79189 <P>Hi,</P> <P>I'm having some issues getting a feeds timestamp picked up properly. The date field comes in like this: <CODE>"date": "8/15/2019 10:55:16 AM"</CODE>. My props has this, which isn't working. </P> <PRE><CODE>TZ = UTC TIME_FORMAT = %m/%d/%Y %I:%M:%S %p TIME_PREFIX = "date": " </CODE></PRE> Wed, 21 Aug 2019 16:55:19 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458138#M79189 a212830 2019-08-21T16:55:19Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458139#M79190 <P>date i coming as per the format specified, how would you like to see the date?</P> Wed, 21 Aug 2019 17:30:20 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458139#M79190 Sukisen1981 2019-08-21T17:30:20Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458140#M79191 <P>It's not taking that date as the event date - looks like it's taking the system date on the server. </P> Wed, 21 Aug 2019 17:37:41 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458140#M79191 a212830 2019-08-21T17:37:41Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458141#M79192 <P>have you set the spec?<BR /> []<BR /> DATETIME_CONFIG = <BR /> TIME_PREFIX = <BR /> MAX_TIMESTAMP_LOOKAHEAD = <BR /> TIME_FORMAT = <BR /> TZ = <BR /> MAX_DAYS_AGO = <BR /> MAX_DAYS_HENCE = <BR /> MAX_DIFF_SECS_AGO = <BR /> MAX_DIFF_SECS_HENCE = </P> <P>In this syntax, can be:</P> <P>, the source type of an event.<BR /> host::, where is the host value for an event.<BR /> source::, where is the source value for an event.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configuretimestamprecognition" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configuretimestamprecognition</A></P> Wed, 30 Sep 2020 01:50:57 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458141#M79192 Sukisen1981 2020-09-30T01:50:57Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458142#M79193 <P>I have what's listed above, which works most of the time. Trying to determine if something there is wrong, especially since the time prefix includes quotes. </P> Wed, 21 Aug 2019 17:43:52 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458142#M79193 a212830 2019-08-21T17:43:52Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458143#M79194 <P>You need this for props.conf:</P> <PRE><CODE>TZ = UTC TIME_PREFIX = "date":\s+" TIME_FORMAT = %m/%d/%Y %I:%M:%S %p </CODE></PRE> <P>Your settings are fine so it must be something else. If you are doing a sourcetype override/overwrite, you must use the <EM>ORIGINAL</EM> value, <EM>NOT</EM> the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using <CODE>_index_earliest=-5m</CODE> to be absolutely certain that you are only examining the newly indexed events.</P> Mon, 02 Sep 2019 16:22:37 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458143#M79194 woodcock 2019-09-02T16:22:37Z https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458144#M79195 <P>Give a btool output of the props.conf so we can see what's really happening. I'm guessing the above is from the props.conf without btool.</P> Wed, 25 Sep 2019 18:36:34 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-timestamp-and-time-prefix/m-p/458144#M79195 sloshburch 2019-09-25T18:36:34Z