I'm trying to get logs time stamped correctly in Splunk. The format of the logs is one line per event, each line has a time stamp. There is a date stamp at the top of the log.

In one of the logs, the time stamp jumps from 00:58:16.156 to 05:59:15.281. For some reason Splunk is interpreting the timestamp as 1 day earlier?

It's the 40th event down in the log... so 40 good interpretations, and after a 5 hour jump Splunk thinks it's 1 day earlier?

Here is the first line of the log:
Splunk Preview Log
4/18/13 12:00:00.000 AM 18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE

The rest of the log only has time stamp at the beginning:
37 4/18/13 12:58:16.156 AM 00:58:16.156 +263852 closing dst socket...
38 4/18/13 12:58:16.156 AM 00:58:16.156 +263852 closing dst size socket...
39 4/17/13 5:59:15.281 AM 05:59:15.281 +Adding dub job 263853 ...
40 4/17/13 5:59:15.359 AM 05:59:15.359 +Trying to add
41 4/17/13 5:59:15.359 AM 05:59:15.359 ++263853 Connected to source

If I set the MAX_DAYS_AGO = 1
Splunk attempts to interpret the time stamp as 4/17/2013, but because it is outside the date range, instead sets the date time to the last time stamp.
Which gives me 1,980 events all at one time making the log useless.

I've tried:
• setting Timestamp never extends more than 13 chars into the event.
• setting the strptime format as %d/%m/%Y (this picks up the date at the top of the log, but then fails for the timestamps (yellow triangle) and yet recognizes them (green highlight).
• setting the strptime format as %h:%m:%s.%3N: this doesn't work for the timestamps in the log & fails for the date at the top of the log. Yet Splunk recognizes them (green highlight)
• prefexing Timestamp by a pattern of +, recognizes both DateStamp & TimeStamps with no errors, however, same issue of setting time back a day after 5 hour jump in log.

Any other ideas out there on how to get this set up?

The way this equipment is set to log, is create 1 file per day. The logs are named Day_05.txt, Day_06.txt. I checked some of the other log files and there are no problems getting the data in correctly.

It appears that there is something with Splunk that doesn't like going from a 00 hour to a 05 hour and it causes misinterpretation of the date, if there is no date included with the time stamp.

Not sure if there is something I can look for in the Splunk logs that would confirm this theory.

Just did a test by modifying a test file and adding date in front of each time stamp. Was interpreted correctly.
18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE

18/04/2013 00:33:51.828 +Adding dub job 263851 ...
18/04/2013 00:33:51.906 +Trying to add
18/04/2013 05:59:15.281 +Adding dub job 263853 ...
18/04/2013 05:59:15.359 +Trying to add

Another test by incrementing the time by 1 hour increments. Interpreted correctly.
18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE

00:33:51.828 +Adding dub job 263851 ...
01:33:51.906 +Trying to add
02:59:15.281 +Adding dub job 263853 ...
03:59:15.359 +Trying to add
04:33:51.828 +Adding dub job 263851 ...
05:59:15.359 +Trying to add

Tested a log file with 6 entries, with the last entry jumping from 00 hour on the 1st entry to 05 on the last entry. Interpretation failed. The left time stamp is from the Splunk preview:
2 4/18/13 12:33:51.828 AM 18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE
3 4/18/13 12:33:51.828 AM 00:33:51.828 +Adding dub job 263851 ...
4 4/18/13 12:33:51.906 AM 00:33:51.906 +Trying to add
5 4/18/13 12:59:15.281 AM 00:59:15.281 +Adding dub job 263853 ...
6 4/18/13 12:59:15.359 AM 00:59:15.359 +Trying to add
7 4/18/13 12:33:51.828 AM 00:33:51.828 +Adding dub job 263851 ...
8 4/17/13 5:59:15.359 AM 05:59:15.359 +Trying to add
9 4/19/13 12:00:09.812 AM 19/04/2013 - 00:00:09.812 - LOG CLOSED - CHANGE OF DATE

Another test going back one hour at a time before the 05 hour mark. 04, failed. However, 03 worked.
2 4/18/13 12:33:51.828 AM 18/04/2013 - 00:33:51.828 - LOG OPENED - CHANGE OF DATE
3 4/18/13 12:33:51.828 AM 00:33:51.828 +Adding dub job 263851 ...
4 4/18/13 12:33:51.906 AM 00:33:51.906 +Trying to add
5 4/18/13 12:59:15.281 AM 00:59:15.281 +Adding dub job 263853 ...
6 4/18/13 12:59:15.359 AM 00:59:15.359 +Trying to add
7 4/18/13 3:33:51.828 AM 03:33:51.828 +Adding dub job 263851 ...
8 4/18/13 5:59:15.359 AM 05:59:15.359 +Trying to add

9 4/19/13 12:00:09.812 AM 19/04/2013 - 00:00:09.812 - LOG CLOSED - CHANGE OF DATE

On a smaller file with 00 hour and one 05 hour, I put in a timestamp format as %H:%M:%s, and it worked. However, %h:%m:%s does not work. When I tried to apply %H:%M:%s to the full file, it did not work. Not sure why an upper case would work and lower would not work... still looking for that answer.

Noticed in the splunk datetime.xml CDATA for extracting hour is

<text><![CDATA[([01]?[1-9]|[012][0-3])(?!\d)]]></text>

Not sure how to look or read this yet, but am noticing 0-3, which will parse correctly in my files, but going from 0 to 4 or 5 will not work.

Tried modifying the datetime.xml to be 0-9. No Improvement.
Also tried changing 0-3 to 0-5, although I don't think this has anything do do with the issue. No Improvement.

What's odd about this issue is that Splunk is recognizing the timestamp. I've seen some instances where a time stamp is not recognized and Splunk defaults back to the previous timestamp. This would mean Splunk is keeping a running date/time stamp for previous events in a file and possible use this to help determine the timestamp.