https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323475#M96546 <P>It's really strange ... <CODE>"time":"2018-01-21 05:42:34.0"</CODE> <BR /> There is only time field and all the events are of the same format...Some are taking the correct value and some are not even in the range or just picking up some random timestamp which is not even present in the event <BR /> The data is being sent from S3 input from AWS addon </P> Tue, 23 Jan 2018 20:21:38 GMT nawazns5038 2018-01-23T20:21:38Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323472#M96543 <P>Hi,</P> <P>the log has timestamp like this <CODE>"time":"2018-01-22 13:43:40.0"</CODE> </P> <P>props.conf : <BR /> TIME_FORMAT = %F %T.%3N<BR /> TIME_PREFIX = "time":\"<BR /> MAX_TIMESTAMP_LOOKAHEAD = 25</P> <P>that was the props conf used. The setting worked fine while testing. After indexing the data the timestamp shown in Splunk or _time has come upto <CODE>"11/28/17 4:06:53.568 PM"</CODE> . which is even no where present in the event. </P> <P>How can this be resolved. Please help. </P> Tue, 29 Sep 2020 17:46:32 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323472#M96543 nawazns5038 2020-09-29T17:46:32Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323473#M96544 <P>Can you paste the full <CODE>_raw</CODE> of the event in question? Sometimes there are multiple instances of timestamps on one message, which can confuse Splunk.</P> Tue, 23 Jan 2018 04:08:51 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323473#M96544 micahkemp 2018-01-23T04:08:51Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323474#M96545 <P>Hi nawazns5038, <BR /> Could you please provide sample events? Also in TIME_PREFIX try changing rex to <CODE>\"time\"\:\"</CODE></P> Tue, 23 Jan 2018 04:18:56 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323474#M96545 p_gurav 2018-01-23T04:18:56Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323475#M96546 <P>It's really strange ... <CODE>"time":"2018-01-21 05:42:34.0"</CODE> <BR /> There is only time field and all the events are of the same format...Some are taking the correct value and some are not even in the range or just picking up some random timestamp which is not even present in the event <BR /> The data is being sent from S3 input from AWS addon </P> Tue, 23 Jan 2018 20:21:38 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323475#M96546 nawazns5038 2018-01-23T20:21:38Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323476#M96547 <P>@p_gaurav </P> <P>There is only time field and all the events are of the same format...Some are taking the correct value and some are not even in the range or just picking up some random timestamp which is not even present in the event <BR /> The data is being sent from S3 input from AWS addon </P> Tue, 23 Jan 2018 20:36:26 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323476#M96547 nawazns5038 2018-01-23T20:36:26Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323477#M96548 <P>Are the events 'breaking' properly? Ie, one valid json block per event?<BR /> Also is it aws generated data (s3/cloudwatch logs) etc, or your own log data?</P> Tue, 23 Jan 2018 20:52:07 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323477#M96548 nickhills 2018-01-23T20:52:07Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323478#M96549 <P>Ya breaking is proper and props has been tested with the sample data as well. It is only one Json block. <BR /> Data is pulled from S3 buckets and it is not AWS default data . and it is pulling lots of .gz files which has json files in it <BR /> Is it a problem related to the Addon ? </P> Tue, 23 Jan 2018 23:22:26 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323478#M96549 nawazns5038 2018-01-23T23:22:26Z https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323479#M96550 <P>Can you check _internal logs for particular S3 input? Is there any timestamp related warning or error? </P> Wed, 24 Jan 2018 07:07:14 GMT https://community.splunk.com/t5/Splunk-Search/splunk-time-not-matching-with-timestamp/m-p/323479#M96550 p_gurav 2018-01-24T07:07:14Z