splunk props timestamp issue

kirrusk — Fri, 25 Jun 2021 09:31:09 GMT

I have a CSV file with the below data, trying to push to Splunk.

Example -

Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu JUN25 12:27:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name2,address2,Thu JUN 25 03:65:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name3,address3,Thu JUN 25 05:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name4,address4,Thu MAY26 06:25:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name5,address5,Thu MAY26 06:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name6,address6,Thu JAN14 07:15:52 +08 2021,Active

props setting

in props using fourth field as timestamp.

SHOULD_LINEMERGE= FALSE FIELD_DELIMETER=, HEADER_FIELD_DELIMETER=, FIELD_NAMES=Time,names,address,creationtime,status TIMESTAMP_FIELDS=creationtime TZ=Asia/Singapore

by using the above props I can able to push only the latest date data, other events are missing in Splunk.

for example, I can see only JUN25th data. remaining events are missing.

Can someone explain, what might be the cause.

Re: splunk props timestamp issue

smurf — Fri, 25 Jun 2021 13:47:33 GMT

I would try looking at timestamp extraction configuration. Specifically MAX_DAYS_AGO and MAX_DIFF_SECS_AGO in props.conf

It could be the case that Splunk thinks that your events are far in the past and therefore not indexing them.

topic Re: splunk props timestamp issue in Splunk Search

splunk props timestamp issue

Re: splunk props timestamp issue