Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows server data timestamp issue in splunk

chandrasekhar46
Loves-to-Learn Everything
a week ago

i have splunk data for windows servers for service but getting timestamp issue here is example error log and event example so how can i use props file

shall i install windows TA addon in HF should resolve it or any custom props file bases on event 


11-04-2025 06:10:31.452 +0000 WARN DateParserVerbose [1028 winparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Nov 4 06:10:31 2025). Context: source=WMI:Service|host=XSPW12W923F|WMI:Service|1

event coming like this in splunk :

20251104022942.950679

DisplayName=test_one

Name=WdiSystemHost

StartMode=Manual

State=Stopped

0 Karma
Reply

PrewinThomas
Motivator
a week ago

@chandrasekhar46 
Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this.


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @chandrasekhar46 ,

usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs?

Anyway, you should install Splunk_TA_Windows both on UF, HF and SH.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...