https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502813#M85645 <P>you can use the <CODE>_time</CODE> to be the index time in props.conf</P> <PRE><CODE> [mysourcetype] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>now you have 2 time fields, _time and your field with HMS.MS</P> <P>hope it helps</P> Tue, 10 Dec 2019 03:26:53 GMT adonio 2019-12-10T03:26:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502809#M85641 <P>Hi,<BR /> I have a log file like this:</P> <PRE><CODE>08:00:00.032 user parameter: A[0]B[0]C: Action successful. </CODE></PRE> <P>This is just <STRONG>hour:minutes:seconds:mile seconds</STRONG><BR /> As you see the only time of that event exists in log, and Splunk _time automatically converts this 08:00:00.032 to timestamp! <BR /> This is the cause of the wrong date for events.</P> <P>For example, If I added today's log file to Splunk it will show events belong to 2018 ,2017, 2016 ...</P> <P>Any recommendation?<BR /> Thanks.</P> Mon, 09 Dec 2019 17:37:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502809#M85641 indeed_2000 2019-12-09T17:37:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502810#M85642 <P>Do you have <CODE>TIME_FORMAT = %H:%M:%S.%3N</CODE> in your props.conf?</P> Mon, 09 Dec 2019 18:31:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502810#M85642 richgalloway 2019-12-09T18:31:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502811#M85643 <P>1-Add this props.conf<BR /> 2- remove fishbucket<BR /> 3- restart service </P> <P>Problem still remain.</P> <P>Any idea?</P> Mon, 09 Dec 2019 19:33:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502811#M85643 indeed_2000 2019-12-09T19:33:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502812#M85644 <P>What should the correct timestamp be?</P> Mon, 09 Dec 2019 22:06:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502812#M85644 richgalloway 2019-12-09T22:06:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502813#M85645 <P>you can use the <CODE>_time</CODE> to be the index time in props.conf</P> <PRE><CODE> [mysourcetype] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>now you have 2 time fields, _time and your field with HMS.MS</P> <P>hope it helps</P> Tue, 10 Dec 2019 03:26:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502813#M85645 adonio 2019-12-10T03:26:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502814#M85646 <P>should I do something else after this change? e.g. restart splunk service?</P> Tue, 10 Dec 2019 07:17:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502814#M85646 indeed_2000 2019-12-10T07:17:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502815#M85647 <P>Hour:Minutes:Seconds:Millisecond<BR /> 08:00:00.122 = 08 AM</P> Tue, 10 Dec 2019 07:20:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502815#M85647 indeed_2000 2019-12-10T07:20:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502816#M85648 <P>It is not very clear what your issue is here. Since the timestamp does not include a date, I believe Splunk will assume the date is today, and index all events as such.</P> <P>Do you have logs from multiple dates in your file, but without a date in the events? Or what exactly is your issue? Maybe show what the _time field looks like in Splunk and explain what is wrong with it.</P> Tue, 10 Dec 2019 07:42:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502816#M85648 FrankVl 2019-12-10T07:42:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502817#M85649 <P>1-file contain only log of today.<BR /> 2-there is no date in log it just time 08:00:00.122 <BR /> 3-"_time" also show logs that belong this dates 2018 ,2017, 2016 ...</P> <P>exact problem is splunk convert time to date e.g.</P> <PRE><CODE>source="/opt/logs-20191210.log" | table _time 1 2018-02-02 09:04:04.042 2 2018-02-02 09:04:04.041 3 2018-02-02 09:04:04.041 4 2018-02-02 09:04:04.039 5 2018-02-02 09:04:04.039 </CODE></PRE> <P>....</P> <PRE><CODE>1 2017-07-13 08:43:56.928 2 2017-07-13 08:43:56.927 3 2017-07-13 08:43:56.925 4 2017-07-13 08:43:56.925 5 2017-07-13 08:43:56.920 </CODE></PRE> <P>....</P> <PRE><CODE>1 2016-12-26 08:48:35.986 2 2016-12-26 08:48:35.986 3 2016-12-26 08:48:35.984 4 2016-12-26 08:48:35.979 5 2016-12-26 08:48:35.979 </CODE></PRE> <P>...</P> <P>1-here is the props.conf</P> <PRE><CODE>[logs-20191210-too_small] TIME_FORMAT = %H:%M:%S.%3N </CODE></PRE> <P>also try this one</P> <PRE><CODE>DATETIME_CONFIG = CURRENT </CODE></PRE> <P>2- remove fishbucket<BR /> 3- restart service</P> <P>Problem still remain.</P> <P>Any idea?</P> Tue, 10 Dec 2019 12:34:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502817#M85649 indeed_2000 2019-12-10T12:34:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502818#M85650 <P>Where did you deploy that props.conf? It should be on the first full splunk enterprise instance that processes the data (so on a HF or Indexer), not on a universal forwarder. Because if even <CODE>DATETIME_CONFIG = CURRENT</CODE> isn't working, then it sounds like that props.conf is not taking effect.</P> Tue, 10 Dec 2019 14:49:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502818#M85650 FrankVl 2019-12-10T14:49:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502819#M85651 <P>Logs and enterprise splunk locate on the single server and I just want to do this config affect to specific log. Not whole logs.</P> Tue, 10 Dec 2019 15:19:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502819#M85651 indeed_2000 2019-12-10T15:19:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502820#M85652 <P>What do you mean by that? Are you using some transforms to assign this <CODE>logs-20191210-too_small</CODE> sourcetype to these events?</P> <P>If so: that will not work like this. Only indextime config for the original sourcetype will be applied. You can't override the sourcetype and then apply different indextime config based on that new sourcetype value.</P> Tue, 10 Dec 2019 16:00:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502820#M85652 FrankVl 2019-12-10T16:00:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502821#M85653 <P>There is no transforming here.</P> Fri, 13 Dec 2019 16:34:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-prevent-Splunk-from-converting-time-to-date/m-p/502821#M85653 indeed_2000 2019-12-13T16:34:14Z