getting below error after upgrade to latest splunk version:
10-11-2019 08:02:49.775 +0000 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Sun Nov 10 09:02:47 2019) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=C:\splunk_file\DMVPN Daily Config Backup.txt|host=DTRAFLON2K121|ncm|1584
It is clear to me. Your event with timestamp 10-11-2019 08:02:49.775 +0000
is being *mis*interpreted as Sun Nov 10 09:02:47 2019
instead of Sat Oct 11 09:02:47 2019
. This is almost always because you are letting Splunk guess at your timestamp instead of TELLING IT yourself. You need to create a props.conf with these settings:
TIME_PREFIX = <Your RegEx Here>
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 29
NEVER let Splunk guess at anything.
It appears as though Splunk is using a month-day-year time format instead of day-month-year. To confirm that, please share some sample events (sanitized as necessary) as well as the TIME_FORMAT setting for that sourcetype.