Re: failed to parse timestamp at data preview

newbiesplunk · ‎09-01-2014

Hi,
When i do the data preview, it stated "Failed to parse timestamp, defaulting to file modetime". The correct timestamp for my event should be 2 Sep instead of 9 Feb. How to resolve it? If it due to the date configured at the server end or the setting at the splunk? thks

newbiesplunk · ‎10-02-2014

Hi,
if i would like to extract the date (dd/mm/yyyy hh:mm:ss) in the content of the file as the timestamp as shown below, how to go abt doing it? thks

File content
Start;server;02/10/2014 16:13:13

tom_frotscher · ‎09-02-2014

Hi! Splunk can't automatically resolve your timestamp in this case. Therefore, it can fall back to use the time of the last modification of your logfile as a timestamp. If this is the case, you need to do some additional configuration. Is it possible that you post some example events of your logfile and show us the configuration you use for the corresponding sourcetype? Then we can help you to make splunk considering your timestamp correctly.

failed to parse timestamp at data preview

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation