Getting Data In

Error message while parsing timestamp dated after 19-12-31

sdkp03
Communicator

We are currently using Splunk version 7.2.7. As per the Splunk recommendation related to "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" I did replace datetime.xml file in /opt/splunk/etc folder and restarted the Splunk instances.

I modified the parameter MAX_DAYS_HENCE parameter in props.conf as recommended. However, when trying to ingest data dated "19-12-31 23:58:44" and "20-01-02 23:58:54" am seeing an error message - Could not use regex to parse timestamp from 19-12-31.

For testing purposes, I did ingest data with timestamp dated 14-12-2019 to verify if the props.conf setting was overridden to 40. Unfortunately, I see that it's still not reflecting.

Error message while indexing this date:

1) A possible timestamp match (Fri Dec 13 23:58:54 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAY_HENCE.

2) Failed to parse timestamp in first MAX_TIMSTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Dec 11 23:58:54 2019).

I did run btool to verify for conflicts and it shows the MAX_DAYS_HENCE value as 40 (as expected). Can someone please assist me in getting around with this issue.

0 Karma
1 Solution

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

View solution in original post

0 Karma

sangeetapalacce
New Member

Hi,

I have updated MAX_DAYS_HENCE in props.conf file however noticed that 2 digit year timestamp in this format(Jan 02, 20) its able to recognize and others are not. Have you updated any other parameter?

0 Karma

sdkp03
Communicator

Issue was with props.conf not edited on cluster master. Once props.conf was edited on cluster master I could see it working as expected. Please ensure props.conf is edited correctly on the node from which testing is intended to be performed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...