Solved: A possible timestamp match is outside of the acce...

sbattista09 · ‎03-03-2015

im not getting any new logs into splunk after i set up a new input "file monitor". the CSV has no time stamps so splunk should see the creation date of the file? has anyone ran into this before?

This input worked once and now its not getting this error-
splunkd log-

03-03-2015 09:23:11.015 -0500 WARN  DateParserVerbose - A possible timestamp match (Fri Mar 18 23:01:49 2005) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::\\fileserver\file.CSV|host::list|csv|101514


[monitor://\\fileserver\file]
disabled = false
followTail = 1
host = list
index = index1
crcSalt = <SOURCE>
sourcetype = csv

sbattista09 · ‎03-09-2015

it looks like it was because the file was renamed and added a few times throwing things off. I deleted the files i didn't need in Splunk and that seemed to have solved my problem.

The Directory had two files in it but, Splunk was seeing 4. Ill admit i don't fully understand why the time was getting messed up but everything seems back to normal.

thank you for your time and input rich.

View solution in original post

sbattista09 · ‎03-09-2015

it looks like it was because the file was renamed and added a few times throwing things off. I deleted the files i didn't need in Splunk and that seemed to have solved my problem.

The Directory had two files in it but, Splunk was seeing 4. Ill admit i don't fully understand why the time was getting messed up but everything seems back to normal.

thank you for your time and input rich.

richgalloway · ‎03-03-2015

What has changed since the input last worked?

---
If this reply helps you, Karma would be appreciated.

sbattista09 · ‎03-03-2015

would there bee a way to force splunk to use a date to avoid this?

richgalloway · ‎03-03-2015

Splunk is supposed to use the file modification time if it cannot find a timestamp in the file contents. That leads me to conclude Splunk is mis-interpreting something in your new CSV file as a timestamp. Look closely at the header and data to see if there is something that resembles a date or time.

---
If this reply helps you, Karma would be appreciated.

sbattista09 · ‎03-03-2015

it looks like it was because the file was renamed and added a few times throwing things off. I dleted the files i didn't need in Splunk and that seemed to have solved my problem.

The Directory had two files in it bu,t Splunk was seeing 4. Ill admit i don't fully understand why the time was getting messed up but everything seems back to normal.

thank you for your time and input!

sbattista09 · ‎03-03-2015

a new csv file was added, it has the same formatting.

A possible timestamp match is outside of the acceptable time window.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation