Getting Data In

Error message while parsing timestamp dated after 19-12-31

sdkp03
Communicator

We are currently using Splunk version 7.2.7. As per the Splunk recommendation related to "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" I did replace datetime.xml file in /opt/splunk/etc folder and restarted the Splunk instances.

I modified the parameter MAX_DAYS_HENCE parameter in props.conf as recommended. However, when trying to ingest data dated "19-12-31 23:58:44" and "20-01-02 23:58:54" am seeing an error message - Could not use regex to parse timestamp from 19-12-31.

For testing purposes, I did ingest data with timestamp dated 14-12-2019 to verify if the props.conf setting was overridden to 40. Unfortunately, I see that it's still not reflecting.

Error message while indexing this date:

1) A possible timestamp match (Fri Dec 13 23:58:54 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAY_HENCE.

2) Failed to parse timestamp in first MAX_TIMSTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Dec 11 23:58:54 2019).

I did run btool to verify for conflicts and it shows the MAX_DAYS_HENCE value as 40 (as expected). Can someone please assist me in getting around with this issue.

0 Karma
1 Solution

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

View solution in original post

0 Karma

sangeetapalacce
New Member

Hi,

I have updated MAX_DAYS_HENCE in props.conf file however noticed that 2 digit year timestamp in this format(Jan 02, 20) its able to recognize and others are not. Have you updated any other parameter?

0 Karma

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...