Re: Windows server data timestamp issue in splunk

chandrasekhar46 · ‎11-03-2025

i have splunk data for windows servers for service but getting timestamp issue here is example error log and event example so how can i use props file

shall i install windows TA addon in HF should resolve it or any custom props file bases on event

11-04-2025 06:10:31.452 +0000 WARN DateParserVerbose [1028 winparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Nov 4 06:10:31 2025). Context: source=WMI:Service|host=XSPW12W923F|WMI:Service|1

event coming like this in splunk :

20251104022942.950679

DisplayName=test_one

Name=WdiSystemHost

StartMode=Manual

State=Stopped

PrewinThomas · ‎11-04-2025

@chandrasekhar46
Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this.

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

gcusello · ‎11-03-2025

Hi @chandrasekhar46 ,

usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs?

Anyway, you should install Splunk_TA_Windows both on UF, HF and SH.

Ciao.

Giuseppe

Windows server data timestamp issue in splunk

heavy forwarder

intermediate forwarder

Windows

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Developer Spotlight with Guilhem Marchand

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

Join the Conversation