https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464217#M80047 <P>Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.</P> Wed, 11 Dec 2019 03:50:09 GMT sdkp03 2019-12-11T03:50:09Z https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464216#M80046 <P>We are currently using Splunk version 7.2.7. As per the Splunk recommendation related to "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" I did replace datetime.xml file in /opt/splunk/etc folder and restarted the Splunk instances. </P> <P>I modified the parameter MAX_DAYS_HENCE parameter in props.conf as recommended. However, when trying to ingest data dated "19-12-31 23:58:44" and "20-01-02 23:58:54" am seeing an error message - <CODE>Could not use regex to parse timestamp from 19-12-31.</CODE> </P> <P>For testing purposes, I did ingest data with timestamp dated 14-12-2019 to verify if the props.conf setting was overridden to 40. Unfortunately, I see that it's still not reflecting. </P> <P>Error message while indexing this date:</P> <P>1) A possible timestamp match (Fri Dec 13 23:58:54 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAY_HENCE. </P> <P>2) Failed to parse timestamp in first MAX_TIMSTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Dec 11 23:58:54 2019).</P> <P>I did run btool to verify for conflicts and it shows the MAX_DAYS_HENCE value as 40 (as expected). Can someone please assist me in getting around with this issue.</P> Wed, 30 Sep 2020 03:21:10 GMT https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464216#M80046 sdkp03 2020-09-30T03:21:10Z https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464217#M80047 <P>Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.</P> Wed, 11 Dec 2019 03:50:09 GMT https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464217#M80047 sdkp03 2019-12-11T03:50:09Z https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464218#M80048 <P>Hi,</P> <P>I have updated MAX_DAYS_HENCE in props.conf file however noticed that 2 digit year timestamp in this format(Jan 02, 20) its able to recognize and others are not. Have you updated any other parameter?</P> Wed, 30 Sep 2020 03:22:20 GMT https://community.splunk.com/t5/Getting-Data-In/Error-message-while-parsing-timestamp-dated-after-19-12-31/m-p/464218#M80048 sangeetapalacce 2020-09-30T03:22:20Z