Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I configure my heavy forwarders to pars...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I configure my heavy forwarders to parse the timestamp for a WinRegistry sourcetype?
Hello
I'm having an issue with timestamping for my WinRegistry data.
I don't know whether by design, or for some other reason, the timestamp in the logs are as such:
11/02/11154 14:24:53.046
which of course is interpreted incorrectly. These Universal Forwarders forward to a cluster of Heavy Forwarders where an app SHOULD set the timestamp:
[WinRegistry]
DATETIME_CONFIG = CURRENT
but this does not seem to be the case as I have logs that go back to 1969 and forward to 2032.
Any ideas on where the issue may be?
Thanks for the thoughts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your sourcetype must match EXACTLY; does it? You must restart your Splunk instance on the server where you changed this setting.
I would not use this approach, though; I would use SEDCMD to rewrite the timestamp with this:
s/^(\d+\/\d+)\/1115/\1\/2014/
You will have to fix this every New-Year's Eve (or until you can get the log writer/formatter fixed).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah they match, in the app on the UF its:
[source::....winregistry]
sourcetype = WinRegistry
in the props on the HF the stanza is:
[WinRegistry]
DATETIME_CONFIG = CURRENT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart splunk instances?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I did. This has actually been in place for quite some time and hasn't been working. Just haven't had time for get to it until now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually have a webex with support on this today. I believe that there's an issue with linebreaking and its inserting values where they should not be and its affecting the timestamp.
Thanks for looking at it!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
