We are currently using Splunk version 7.2.7. As per the Splunk recommendation related to "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" I did replace datetime.xml file in /opt/splunk/etc folder and restarted the Splunk instances.

I modified the parameter MAX_DAYS_HENCE parameter in props.conf as recommended. However, when trying to ingest data dated "19-12-31 23:58:44" and "20-01-02 23:58:54" am seeing an error message - Could not use regex to parse timestamp from 19-12-31.

For testing purposes, I did ingest data with timestamp dated 14-12-2019 to verify if the props.conf setting was overridden to 40. Unfortunately, I see that it's still not reflecting.

Error message while indexing this date:

1) A possible timestamp match (Fri Dec 13 23:58:54 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAY_HENCE.

2) Failed to parse timestamp in first MAX_TIMSTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Wed Dec 11 23:58:54 2019).

I did run btool to verify for conflicts and it shows the MAX_DAYS_HENCE value as 40 (as expected). Can someone please assist me in getting around with this issue.