Getting Data In

Timestamp matching outside of the acceptable window

yog123
New Member

getting below error after upgrade to latest splunk version:
10-11-2019 08:02:49.775 +0000 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Sun Nov 10 09:02:47 2019) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=C:\splunk_file\DMVPN Daily Config Backup.txt|host=DTRAFLON2K121|ncm|1584

Tags (1)
0 Karma

woodcock
Esteemed Legend

It is clear to me. Your event with timestamp 10-11-2019 08:02:49.775 +0000 is being *mis*interpreted as Sun Nov 10 09:02:47 2019 instead of Sat Oct 11 09:02:47 2019. This is almost always because you are letting Splunk guess at your timestamp instead of TELLING IT yourself. You need to create a props.conf with these settings:

TIME_PREFIX = <Your RegEx Here>
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 29

NEVER let Splunk guess at anything.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It appears as though Splunk is using a month-day-year time format instead of day-month-year. To confirm that, please share some sample events (sanitized as necessary) as well as the TIME_FORMAT setting for that sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...