Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows server data timestamp issue in splunk

chandrasekhar46
Loves-to-Learn Everything
‎11-03-2025 11:32 PM

i have splunk data for windows servers for service but getting timestamp issue here is example error log and event example so how can i use props file

shall i install windows TA addon in HF should resolve it or any custom props file bases on event 


11-04-2025 06:10:31.452 +0000 WARN DateParserVerbose [1028 winparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Nov 4 06:10:31 2025). Context: source=WMI:Service|host=XSPW12W923F|WMI:Service|1

event coming like this in splunk :

20251104022942.950679

DisplayName=test_one

Name=WdiSystemHost

StartMode=Manual

State=Stopped

0 Karma
Reply

PrewinThomas
Motivator
‎11-04-2025 01:17 AM

@chandrasekhar46 
Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this.


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-03-2025 11:48 PM

Hi @chandrasekhar46 ,

usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs?

Anyway, you should install Splunk_TA_Windows both on UF, HF and SH.

Ciao.

Giuseppe

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...