https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422302#M191049 <P>The body of your question appears unrelated to the topic.<BR /> Where are the timestamps in your sample event? What are the props.conf settings for the event's sourcetype?</P> Fri, 02 Aug 2019 12:51:06 GMT richgalloway 2019-08-02T12:51:06Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422300#M191047 <P>I investigate issue of creating too many new warm buckets and while I do that, one of the events which according to log splunkd has issues has strange problem which I am curious to find out why this happens.</P> <P>The event:<BR /> fdsfds fsdf as dsfsd fdsfds fdsfds fdsfd dsfds dsf.dd</P> Fri, 02 Aug 2019 09:10:38 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422300#M191047 net1993 2019-08-02T09:10:38Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422301#M191048 <P>For some reason I cannot post the whole event so I place it as comment:<BR /> fdsfds fsdf as dsfsd fdsfds fdsfds fdsfd dsfds dsf.dd</P> Fri, 02 Aug 2019 09:22:56 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422301#M191048 net1993 2019-08-02T09:22:56Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422302#M191049 <P>The body of your question appears unrelated to the topic.<BR /> Where are the timestamps in your sample event? What are the props.conf settings for the event's sourcetype?</P> Fri, 02 Aug 2019 12:51:06 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422302#M191049 richgalloway 2019-08-02T12:51:06Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422303#M191050 <P>Sorry, splunks website filters timestamps for some reason. I tried to paste it many times but its same.<BR /> Basicaly: I have 1 event with first 1 unix timestamp and then there is another timestamps with format: Y-m-d h:i:s... and splunk for some reason takes the second timestamp even thought its after the epoch timestamp which is my question why it does that. The sourcetype is default and nothing custom in it.</P> Fri, 02 Aug 2019 12:56:15 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422303#M191050 net1993 2019-08-02T12:56:15Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422304#M191051 <P>Enclose your sample event in either backticks (<CODE>):<BR /> </CODE>2019-08-02T00:00:00.000 timestamp1 Jan 1, 1970 00:01:02.003 timestamp2`<BR /> or code tags:<BR /> &lt; pre&gt; ... &lt; /pre&gt;<BR /> (remove the space after the opening less than sign)<BR /> <PRE><BR /> 2019-08-02T00:00:00.000 timestamp1 Jan 1, 1970 00:01:02.003 timestamp2<BR /> </PRE></P> Fri, 02 Aug 2019 13:04:09 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422304#M191051 jnudell_2 2019-08-02T13:04:09Z https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422305#M191052 <P>It sounds like the two timestamps have different formats and Splunk is finding the one that matches what is in datetime.xml. You need to override that using the props.conf settings <CODE>TIME_PREFIX</CODE>, <CODE>TIME_FORMAT</CODE>, and <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>. As soon as you post examples of the timestamps we can tell you what the settings should be.</P> Fri, 02 Aug 2019 13:24:10 GMT https://community.splunk.com/t5/Splunk-Search/why-splunk-extracts-the-second-timestamp-instead-of-first/m-p/422305#M191052 richgalloway 2019-08-02T13:24:10Z