Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp extractor issue on UF

LIS
Path Finder
‎08-21-2025 04:36 AM

I have two time stamps in each record 2025-08-20 17:37:00.317 and SEN_20250820153640.1703351.txt.

And want to use first one, but timestamp extractor chooses second from file name, neglecting my config.  

Example of record:

2025-08-20 17:37:00.317 INF transferred file bytes=7642 file=/map/sen-tig/SEN_20250820153640.1703351.txt pid=4170 speed_mbps=2.1 time_ms=29.2

 

inputs.conf

[monitor:///apps/sftp_sender/var/log/sftp*.log]
disabled = false
index = messaging
sourcetype = messaging:ms:log

 

props.conf

[messaging:ms:log]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 23
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TZ = Europe/Brussels

 

I also tried to use DATETIME_CONFIG = NONE (and CURRENT) , but it doesnt work.

I still see in Splunk _time = "second timestamp from record".

props.conf

[messaging:ms:log]
TZ = Europe/Brussels
DATETIME_CONFIG = NONE

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-21-2025 10:20 AM

https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

Timestamp recognition happens usually on the first "heavy" component the event goes through. So your time-related settings should be put there (usually on indexer(s) or a Heavy Forwarder if you have one between your UF and indexer(s)). There is one caveat though - if you use indexed extractions - they happen on the initial ingesting component even if it's a UF. But that's a rare use case.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-21-2025 10:20 AM

https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

Timestamp recognition happens usually on the first "heavy" component the event goes through. So your time-related settings should be put there (usually on indexer(s) or a Heavy Forwarder if you have one between your UF and indexer(s)). There is one caveat though - if you use indexed extractions - they happen on the initial ingesting component even if it's a UF. But that's a rare use case.

Reply
Solved! Jump to solution

LIS
Path Finder
‎08-21-2025 11:26 AM

Hi @PickleRick  and @gcusello ,

Thank you for your responses, but it is not clear for me, because in our system we have lots of configs/dataflows were we have props.conf with time related parameters (TIMESTAMP_FIELDS, TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, TIME_FORMAT, TZ .... ) only on UF.  Our forwarders connected to indexers directly, we dont have any props.conf on indexers and it work properly).

maybe it only works with INDEXED_EXTRACTIONS ?

INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
TIMESTAMP_FIELDS = date
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-21-2025 02:34 PM

Hi @LIS ,

some pasring activities are done on the Forwarders and some others are done on the first full Splunk instance that data are passing through, in your case Indexers.

Put the props.conf on the UFs and on Indexersa, and, if you have, on Search Heads.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-21-2025 01:54 PM

If you don't have the proper config on the parsing component Splunk guesses. Sometimes does it relatively well but it's not good performancewise.

Also TIMESTAMP_FIELDS makes sense only with indexed extractions.

Reply
Solved! Jump to solution

LIS
Path Finder
‎08-22-2025 12:50 AM

Thank you for more details).

Unfortunately, it is not really clear in Splunk docs where we can use certain parameter (only UF, HF, Indexer or on any of them). how to get it?

So, I have to copy my props.conf on indexers as well, or move it from UF to indexers?

Thank you in advance:-)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-22-2025 01:04 AM

Hi @LIS ,

I usually put it both on UFs and Indexers, and Search Heads.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LIS
Path Finder
‎08-22-2025 03:02 AM

Hi @gcusello and @PickleRick ,

I copied props.conf to indexers and it works properly :-).

Thank you and have a nice day!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-22-2025 03:07 AM

Hi @LIS ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-21-2025 08:56 AM

Hi @LIS ,

where did you locate the props.conf file?

you must put it on the UF and on the first full Splunk instance.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...