Getting Data In

Timestamp matching outside of the acceptable window

yog123
New Member

getting below error after upgrade to latest splunk version:
10-11-2019 08:02:49.775 +0000 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Sun Nov 10 09:02:47 2019) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=C:\splunk_file\DMVPN Daily Config Backup.txt|host=DTRAFLON2K121|ncm|1584

Tags (1)
0 Karma

woodcock
Esteemed Legend

It is clear to me. Your event with timestamp 10-11-2019 08:02:49.775 +0000 is being *mis*interpreted as Sun Nov 10 09:02:47 2019 instead of Sat Oct 11 09:02:47 2019. This is almost always because you are letting Splunk guess at your timestamp instead of TELLING IT yourself. You need to create a props.conf with these settings:

TIME_PREFIX = <Your RegEx Here>
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 29

NEVER let Splunk guess at anything.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It appears as though Splunk is using a month-day-year time format instead of day-month-year. To confirm that, please share some sample events (sanitized as necessary) as well as the TIME_FORMAT setting for that sourcetype.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...