Preface: The timestamp is in HHMM format from the source, year/month/day information is not provided. The data is provided via a TCP string from a CDR log.
I have the following input string:
"\x00\x00\x00130000059 C9E840 1210....."
I have added entries to the local props.com as follows:
[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M
The issue: timestamps appear to work fine EXCEPT for the first 5 minutes of each hour. In the example above the timestamp is 4 digits log starting after position 12 with a value of "1300" however splunk is decoding the timestamp as "1359" instead of "1300" as defined. Once time reaches 6 minutes past the hour, the timestamp works as expected producing a timestamp of "1306"; an example is:
"\x00\x00\x00130600869 C9E820 713....."
Any assistance is greatly appreciated.
Updated from version 4.1.5 to 4.1.6 and updated the local props.conf as follows, then restarted Splunk.
[source::tcp:9001]
TZ = America/Chicago
CHECK_FOR_HEADER = False
SHOULD_LINEMERGE = False
MAX_TIMESTAMP_LOOKAHEAD = 16
TIME_PREFIX = ^.{12}
TIME_FORMAT = %H %M
The issue appears to be resolved in cursory testing, however I will edit/update accordingly after additional testing has been verified.