https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214772#M62978 <P>I added this to the props.conf stanza on the search head under system/local/ and it didn't help. I am still getting logs with wrong year in them. </P> Wed, 22 Jun 2016 02:01:53 GMT daniel_augustyn 2016-06-22T02:01:53Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214770#M62976 <P>I am not sure how to fix the date extraction from a raw log which is done by default by Splunk. Splunk extracts date by default and it's not doing the year correctly. </P> <P>This is the raw log: </P> <PRE><CODE>Jun 21 00:00:32 10.20.14.12 Jun 20 17:00:32 : 2016/06/20 17:00:32 PDT,1,7016505,L2 Poll Failed,0,10596,,LAB,10.18.8.1,,L2 Poll failed to read hosts from LAB. </CODE></PRE> <P>And this is date that is getting extracted: </P> <PRE><CODE>6/20/12 5:00:32.000 PM </CODE></PRE> <P>Anyone knows how to fix it? </P> Tue, 21 Jun 2016 00:09:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214770#M62976 daniel_augustyn 2016-06-21T00:09:24Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214771#M62977 <P>Do you have any way of modifying the format of these logs? Ideally the first portion of your log would be a valid timestamp. In this case Splunk is getting confused because it sees a portion of a valid date at the beginning of the log.</P> <P>You may be able to work around it using the following, assuming this is your timestamp: </P> <PRE><CODE>2016/06/20 17:00:32 PDT </CODE></PRE> <P>You'll need to configure a props.conf file to recognize this.</P> <PRE><CODE>[your_sourcetype] TIME_PREFIX = ^.*\s:\s MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %Y/%m/%d %T %Z </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configuretimestamprecognition</A></P> Tue, 21 Jun 2016 00:39:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214771#M62977 ryanoconnor 2016-06-21T00:39:16Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214772#M62978 <P>I added this to the props.conf stanza on the search head under system/local/ and it didn't help. I am still getting logs with wrong year in them. </P> Wed, 22 Jun 2016 02:01:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214772#M62978 daniel_augustyn 2016-06-22T02:01:53Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214773#M62979 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127577">@daniel_augustyn</a> , theses setting need to be done where the parsing is happening, usually an indexer or a heavyweight forwarder. See this <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F" target="_blank">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A> to learn more about this topic.</P> Tue, 29 Sep 2020 09:59:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214773#M62979 MuS 2020-09-29T09:59:20Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214774#M62980 <P>Awesome, it totally fixed it. </P> Wed, 22 Jun 2016 04:28:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-Splunk-to-extract-the-correct-year-from-the/m-p/214774#M62980 daniel_augustyn 2016-06-22T04:28:17Z