Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Not Recognizing Timestamps – What Settings Should I Use?

splunk_user_99
Explorer
‎02-02-2025 04:00 AM

Hello everyone,

 

I’m having trouble getting Splunk to recognize timestamps correctly, and I hope someone can help me out. I’m importing an access log file, where the timestamps are formatted like this:

 

[01/Jan/2017:02:16:51 -0800]

here also a live output:

81341BD6-AE01-4FF1-99EA-6C755D6680AD.png

However, Splunk is not recognizing these timestamps and instead assigns the indexing time.

 

I have tried adjusting the settings in the sourcetype configuration (see screenshot) and have set the following values:

Timestamp format: %d/%b/%Y:%H:%M:%S %z

Timestamp prefix: \[

Lookahead: 32

 

Unfortunately, the timestamps are still not recognized correctly.

👉 Do I need to modify props.conf or inputs.conf as well?

👉 Is my timestamp format correct, or should it be defined differently?

👉 Could there be another issue in my extraction settings?

 

The log file looks like this:

IMG_1085.jpeg

Should I maybe change the log file with some scripting in order to change the format?

 

I would really appreciate any guidance! Thank you in advance. 😊

 

Best regards

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-02-2025 04:11 AM

It looks like your time extraction settings are corrrect, however you need to add MAX_DAYS_AGO to be a higher value (eg 3000) for Splunk to accept that 2017 timestamp as the default is 2000 and therefore Splunk is not accepting the date.

Let me know if adding MAX_DAYS_AGO=3000 to your extraction config works!

Good luck

Will

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-02-2025 04:11 AM

It looks like your time extraction settings are corrrect, however you need to add MAX_DAYS_AGO to be a higher value (eg 3000) for Splunk to accept that 2017 timestamp as the default is 2000 and therefore Splunk is not accepting the date.

Let me know if adding MAX_DAYS_AGO=3000 to your extraction config works!

Good luck

Will

Reply
Solved! Jump to solution

splunk_user_99
Explorer
‎02-02-2025 10:54 AM

Hey Will,

I just wanted to say a huge THANK YOU for your help! 🙌

Your suggestion to increase MAX_DAYS_AGO to 3000 completely solved my issue, and Splunk now correctly recognizes my timestamps.

Honestly, I had been struggling with this for quite some time, and your solution saved me a lot of time and frustration. I really appreciate the effort you put into answering my question.

 

Thanks again, and have a great day! 🚀

 

Best,

Emil

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...