https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48864#M11694 <P>Did you check this after a restart, and only on events that have been indexed after you made your changes? Because the events that are already in the indexed will not be affected by these changes.</P> Fri, 11 May 2012 07:02:26 GMT Ayn 2012-05-11T07:02:26Z https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48861#M11691 <P>I had an IBM reporting program exporting CSV data with Splunk reading it correctly for a few hours. During this period, I also exported 30 days worth of historical data, and had it all imported correctly. </P> <P>As soon as the clock ticked past midnight on the 10th of May, everything started going a bit weird. Events from yesterday (10/May/2012) were interpreted as the 12th of May 2010. Events from today are going in as the 12th of May 2011. </P> <P>Here is an example of CSV data that worked correctly</P> <P>devicename,volumename,9/05/12 18:05,</P> <P>And here is an example of CSV data that did not work correctly</P> <P>devicename,volumename,11/05/12 09:19</P> <P>As you can see, the date codes in both are in the same format. One worked correctly, one didn't, and I can't work out why. </P> <P>The data is picked up with this section of inputs.conf</P> <PRE><CODE>monitor://C:\IBM\TPC\data\log\reports\splunk_mdiskgrp] alwaysOpenFile= 1 disabled = false sourcetype=ibm-tpc-mdg </CODE></PRE> <P>I've tried in vain to add this kind of thing to the props.conf based on what I found online, with no success. Full disclosure: I have no idea what I'm doing. </P> <PRE><CODE>[ibm-tpc-mdg] TIME_FORMAT = %d/%m/%y %H:%M MAX_TIMESTAMP_LOOKAHEAD = 57 TIME_PREFIX = (?i).*?,(?P&lt;FIELDNAME&gt;\d+/\d+/\d+\s+\d+:\d+)(?=,) </CODE></PRE> <P>I'm hoping someone has seen this kind of thing before!</P> Fri, 11 May 2012 00:12:40 GMT https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48861#M11691 lautero 2012-05-11T00:12:40Z https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48862#M11692 <P>The <CODE>TIME_PREFIX</CODE> should not have a field-extractig regex in it. It should match the text just BEFORE the timestamp starts, but not the timestamp itself. </P> <P>Try this: </P> <PRE><CODE>TIME_PREFIX = ^[^,]+,[^,]+,\s* </CODE></PRE> <P>Hope this helps,</P> <P>Kristian </P> Fri, 11 May 2012 06:33:35 GMT https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48862#M11692 kristian_kolb 2012-05-11T06:33:35Z https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48863#M11693 <P>Thanks Kristian, I've given that a shot but it hasn't made any difference.</P> Fri, 11 May 2012 06:54:15 GMT https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48863#M11693 lautero 2012-05-11T06:54:15Z https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48864#M11694 <P>Did you check this after a restart, and only on events that have been indexed after you made your changes? Because the events that are already in the indexed will not be affected by these changes.</P> Fri, 11 May 2012 07:02:26 GMT https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48864#M11694 Ayn 2012-05-11T07:02:26Z https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48865#M11695 <P>could you post a couple of actual log events?</P> <P>/k</P> Fri, 11 May 2012 10:25:36 GMT https://community.splunk.com/t5/Splunk-Search/Date-code-being-interpreted-incorrectly/m-p/48865#M11695 kristian_kolb 2012-05-11T10:25:36Z