Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows server data timestamp issue in splunk

chandrasekhar46
Loves-to-Learn Everything
‎11-03-2025 11:32 PM

i have splunk data for windows servers for service but getting timestamp issue here is example error log and event example so how can i use props file

shall i install windows TA addon in HF should resolve it or any custom props file bases on event 


11-04-2025 06:10:31.452 +0000 WARN DateParserVerbose [1028 winparsing] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Tue Nov 4 06:10:31 2025). Context: source=WMI:Service|host=XSPW12W923F|WMI:Service|1

event coming like this in splunk :

20251104022942.950679

DisplayName=test_one

Name=WdiSystemHost

StartMode=Manual

State=Stopped

0 Karma
Reply

PrewinThomas
Motivator
‎11-04-2025 01:17 AM

@chandrasekhar46 
Where have you placed your WQL query for sourcetype="WMI:Service"? It’s recommended to also deploy Splunk_TA_windows on your Heavy Forwarder, as it already includes a parser for this.


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-03-2025 11:48 PM

Hi @chandrasekhar46 ,

usually Splunk_TA_Windows correctly parse all windows events, even if this seems to be a very strange windows logs that usually have a different format; are these logs windows servers logs or application logs?

Anyway, you should install Splunk_TA_Windows both on UF, HF and SH.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...