Getting Data In

Error message while parsing timestamp dated after 19-12-31

sdkp03
Communicator

We are currently using Splunk version 7.2.7. As per the Splunk recommendation related to "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" I did replace datetime.xml file in /opt/splunk/etc folder and restarted the Splunk instances.

I modified the parameter MAX_DAYS_HENCE parameter in props.conf as recommended. However, when trying to ingest data dated "19-12-31 23:58:44" and "20-01-02 23:58:54" am seeing an error message - Could not use regex to parse timestamp from 19-12-31.

For testing purposes, I did ingest data with timestamp dated 14-12-2019 to verify if the props.conf setting was overridden to 40. Unfortunately, I see that it's still not reflecting.

Error message while indexing this date:

1) A possible timestamp match (Fri Dec 13 23:58:54 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAY_HENCE.

2) Failed to parse timestamp in first MAX_TIMSTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Dec 11 23:58:54 2019).

I did run btool to verify for conflicts and it shows the MAX_DAYS_HENCE value as 40 (as expected). Can someone please assist me in getting around with this issue.

0 Karma
1 Solution

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

View solution in original post

0 Karma

sangeetapalacce
New Member

Hi,

I have updated MAX_DAYS_HENCE in props.conf file however noticed that 2 digit year timestamp in this format(Jan 02, 20) its able to recognize and others are not. Have you updated any other parameter?

0 Karma

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...