@PickleRick Please don't take my words otherwise. I didn't mean to say that. Btw way thanks for correcting me. I will take care with my words from the next time.

Thought as much, it's just worth noting that things can be perceived differently than what we wanted to say 😉

Now, check the technical part of my response 🙂

Most probably, you need to increase the lookahead because you have no timestamp in first 24 chars of your event. The architectural issue might also mean that when you fix that you'll be doing the right thing but in wrong place.

@PickleRick According to your suggestion my settings will be as below 

MAX_TIMESTAMP_LOOKAHEAD = 520
 ( timestamps comes after 520 character of events)

@PickleRick No, I am not using INDEXED_EXTRACTIONS.


I am using KV_MODE=xml in my setting ( props). Is there any other significance of INDEXED_EXTRACTIONS ? 

Yes, INDEXED_EXTRACTIONS can alter the procesing path of your event. Without it the event is parsed on the first "heavy" component the event goes through - typically either the intermediate HF or the destination indexer. When you enable indexed extractions on a UF, the data is parsed directly on the originating UF and is not touched after that (apart from possible ingest actions).

@PickleRick I am using the standalone machine ( act as search head and indexer both ). So its good to add this attribute in props ?

No, no, no. Don't add it anywhere.

Where are you ingesing the data from? A file on this Splunk server or by means of a remote UF?

@PickleRick Here I am monitoring the network files from the network folder.

No UF, No HF I am using.

OK. And you have your props.conf on that HF?

@PickleRick No, I am using standalone windows machine. On the same machine I am using props.

Ahhh, I misread. You wrote "no uf, no hf" I read "no uf, on hf I'm using..."

My bad. Forget it 🙂

Hi @uagraw01 .. for the timeformat.. did you apply both mine and @yuanliu 's timeformat's?..

(after updating the props.conf, you must restart the splunk services.. then only the changes will be inserted to Splunk)

1) Pls give us the search query you are using.. 

what you see on the results is your splunk user profile's timezone setting. 

2) on your Splunk user profile, pls make sure you have the right timezone settings (click on your username---- > Account settings---- > Time Zone)

@inventsekar 
If you see the below attached screenshot. The first three events is matching but the last one event is always creating an issue. 

FYI : I am using default timezone setting.

The first three may be working because Splunk might not be finding the timestamp you are searching for within 520 characters, so it is finding the sbt:MessageTimeStamp, which happens to be the same as the EventTime in these events.

sbt:MessageTimeStamp does not exist in the failing event so Splunk is using the ingest time in the fourth event.

The fourth event is a different format to the the other three events "eqtext:EquipmentEvent" instead of "eqtexo:EquipmentEventReport" so should ideally be in a different sourcetype (at least the source file names are different so it should be relatively easy to split them off).

The timestamp in the fourth event is at least around 627 characters in so your lookahead should at least cover that (and as @PickleRick said, it looks like you are dealing with variable length data, so 627 may not be enough).

if 3 results got good timestamp meaning, props.conf is working fine. 

lets troubleshoot the 4th one.. 

pls copy paste your search query..  (remove the hostnames, confidential info etc.. )