Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: default timestamp format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
default timestamp format
My setting in props.conf seems to be not working as expected.
I have put down TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
but it is treating 1st May 2012 (01/05/2012) as 5th Jan 2012 (05/01/2012)
props.conf>
TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD=0
I have checked my user settings as well which is set to use current local (en_GB).
any clue why it is showing otherway round in search?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your TIME_FORMAT looks good, however your MAX_TIMESTAMP_LOOKAHEAD doesn't. MAX_TIMESTAMP_LOOKAHEAD defines how many characters relative to (optional) TIME_PREFIX it should use for timestamp extraction, not how many characters relative to TIME_PREFIX before it should start looking. From the docs:
MAX_TIMESTAMP_LOOKAHEAD = <integer>
* Specifies how far (in characters) into an event Splunk should look for a timestamp.
* This constraint to timestamp extraction is applied from the point of the TIME_PREFIX-set location.
* For example, if TIME_PREFIX positions a location 11 characters into the event, and MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 11 through 20.
http://docs.splunk.com/Documentation/Splunk/4.3/admin/Propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
example:
Feed contains "01/05/2012 23:59:59.288,v113,NT...". being interpreted as "05/01/2012 23:59:59.288"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the format in the records is in dd/mm/yyyy format, it was working fine when it was first used on the 30th April, but that was probably due to there being no way to confused that date. When 1st May came round then it defaulted to US dates. We have to do the search for all time to get the new records to show (and they are definitely loaded into 5th Jan)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that's not the problem, could you paste a sample event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to check - you're sure that it's not a matter of how the date is formatted when it's output? So for instance if you search last 24 hours, you're not getting these events that seem to be from January 5th?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
Index This | What is feather-light but cannot be held long?
