Why is my timestamp not being recognized... - Splunk Community

Getting Data In

Hi,

I have the following data coming in:

10009 SYSTEM 03/05/17 11:12:44 Info Message Partner MQCACTUSOUT, Session 611 - Message sent
    Sequence number : 242034
    UUMID           : OCHASUS33XXX9002556093123JY    
    Suffix          : 1705031356750
 - lrtAZ842

The problem is, instead of interpresting the date as May 3rd, it's being interpreted as March 5th. My props has the following, which looks correct to me.

[swift_alarmsmsgs]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
ANNOTATE_PUNCT=false
KV_MODE=auto
LINE_BREAKER = ([\r\n]+)\d{5}
TIME_FORMAT = %d/%m/%y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=50

Hi a212830,
for me the best approach to a timestamp problem is to download an example of your log in a file and try to ingest it using the Splunk web gui.
In this way you can immediately check your configurations and verify problems.

In your specific situation, the problem could be in MAX_TIMESTAMP_LOOKAHEAD=18 and TIME_PREFIX=\d+\s\w+\s

Bye.
Giuseppe

Upvote for likely correct TIME_PREFIX to fix the OP's issue.

Agreed. I was gonna say TIME_PREFIX as well.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...