Getting Data In

Why is Splunk indexing data for 12 hours instead of 24 hours?

After 12:59 PM slpunk is indexing data to 1:AM. It should index data for 24 hours but it is indexing for 12 hours only however 1:PM data are getting indexed in 1Am so I have two events in 1 am time stamp Below is my props.conf file.

pulldown_type = 1
TZ = US/Eastern
BREAK_ONLY_BEFORE = \d\d:\d\d+\s*$
Can you give some sample of your time format. So if you also have seconds and milliseconds in your events, then you will have to change your TIME_FORMAT in props.conf as below:

Just to expand on previous comments - it is indexing for 24 hours, but the lack of AM/PM data is resulting in everything being in AM.

If you source data cannot be adjusted to include more time information, then as @thomast_splunk suggests one option would be to just use the whatever the current time and date is when splunk receives the event for processing.

DATETIME_CONFIG = NONE is another option:

  * "NONE" will leave the event time set to whatever time was selected by
    the input layer
    * For data sent by splunk forwarders over the splunk protocol, the input
      layer will be the time that was selected on the forwarder by its input
      behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen will be the
      modification timestamp on the file being read.
    * For other inputs, the time chosen will be the current system time when
      the event is read from the pipe/socket/etc.

This page is a good primer on how Splunk assigns timestamps if you want more details:

May want to just use index time if in the same timezone - or keep that in mind for this particular sourcetype



What does your event text look like? If it includes AM/PM your TIME_FORMAT won't handle that.

If your event looks like:

03:45 PM

Your TIME_FORMAT would need to be:

right without AM and PM

Hi Micahkemp thank you for your reply

I dont have am pm on my event logs

this is my logs generated at 12:01 AM---> 12:01 Info [tasks_advancemedia_aspx]
and this was generated at 12:01 PM --> 12:01 Info [WorkerService] RTAEncode acm status

Also I wanted to break event according to time I have another log at same time ---> 12:01 Error [lambda_method] Unable how would I break event with same time but different logs, I tried BREAK_ONLY_BEFORE = ^\d\d:\d\d+\s but it did not work.

So your events look like:

12:01     <-- 12:01 AM
01:01     <-- 1:01 AM
12:01    <-- 12:01 PM
01:01    <-- 1:01 PM


Which would mean you don't have AM/PM or 24-hour format. That sounds less than ideal to say the least.

