https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87689#M97240 <P>I think that the time prefix and lookahead will still work. Although I might change the lookahead value to 50 instead of 60. And I am not sure why It messed up the timestamp..</P> Thu, 08 Mar 2012 18:04:48 GMT lguinn2 2012-03-08T18:04:48Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87686#M97237 <P>I know there have been other questions asked about splunk parsing dates. However, I have what appears to be a unique situation where I do not understand how Splunk is interpreting dates.</P> <P>I have the following log entries:</P> <PRE><CODE>8:58:05.202 PM [3/6/12 19:58:05:202 EST] 000002f9 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue Mar 06 19:55:26 EST 2012, current Date: Tue Mar 06 19:58:05 EST 2012. host=fmgpapp05 Options| sourcetype=RulesOnline Options| source=/log/parpapp051/SystemOut.log Options| date_mday=12 Options| date_hour=19 Options| date_minute=58 Options </CODE></PRE> <P>Why is Splunk tagging the log entry as "06/12/11" when the log date is actually "3/6/12"?</P> Thu, 08 Mar 2012 14:48:06 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87686#M97237 steveirogers 2012-03-08T14:48:06Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87687#M97238 <P>Why is - Because Splunk sees the first date as the timestamp. But don't worry, you can easily fix that. I assume that the sourcetype for this data is RulesOnline. In <STRONG>$SPLUNK_HOME/etc/system/local/props.conf</STRONG>, put </P> <PRE><CODE>[RulesOnline] TIME_PREFIX =\[ MAXTIMESTAMPLOOKAHEAD = 60 </CODE></PRE> <P>This tells Splunk that the timestamp appears AFTER the first <STRONG>[</STRONG> and that the timestamp appears within the first 60 characters of the event. When there are multiple strings that <EM>could</EM> be interpreted as timestamps, you sometimes need to give Splunk a little help to pick the right one.</P> <P>There is more info in the manual <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps">here</A>.</P> Thu, 08 Mar 2012 15:27:20 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87687#M97238 lguinn2 2012-03-08T15:27:20Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87688#M97239 <P>Thanks Lguinn. My question might have been misleading and I just want to clarify.<BR /> The "6/12/11" is not part of the log entry. The actual log entry is:<BR /> 8:58:05.202 PM [3/6/12 19:58:05:202 EST] 000002f9 LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue Mar 06 19:55:26 EST 2012, current Date: Tue Mar 06 19:58:05 EST 2012</P> <P>Splunk is creating the log entry as "6/12/11" when I would have expected it to be "03/06/12"</P> Thu, 08 Mar 2012 16:13:33 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87688#M97239 steveirogers 2012-03-08T16:13:33Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87689#M97240 <P>I think that the time prefix and lookahead will still work. Although I might change the lookahead value to 50 instead of 60. And I am not sure why It messed up the timestamp..</P> Thu, 08 Mar 2012 18:04:48 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Parsing-dates-incorrectly/m-p/87689#M97240 lguinn2 2012-03-08T18:04:48Z