Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- timestamp match is outside of the acceptable time ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timestamp match is outside of the acceptable time window
Hello,
I have a log with a timestamp that does not contain the year.
Moreover the events are not in a chronological order.
Here is a sample:
%symavsfs-4: Thu Mar 08 12:16:23 Romance Standard
%symavsfs-4: Thu Mar 08 12:18:25 Romance Standard
%symavsfs-4: Fri Dec 15 00:12:45 Romance Standard
%symavsfs-4: Fri Dec 15 00:17:50Romance Standard
The timestamp extraction gives an error:
A possible timestamp match (Thu Mar 08 12:16:23 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.
I try to put MAX_DAYS_AGO to 2000 (but it is supposed to be set by default), and MAX_DIFF_SECS_AGO to 31536000 (1 year in second).
But the extraction is still not correct.
Splunk understands that the events are in the future.
Does anyone know how to force Splunk to consider that the events are in the past, either in 2018 or in 2017 ?
Regards
Céline
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thansk for your reply.
But it is not working.
Finally I have seen that the event contains the year,
then I have used TIME_FORMAT : %a %b %d %H:%M:%S Romance Standard Time %Y
%symavsfs-4: Thu Mar 08 12:16:23 Romance Standard 2018
%symavsfs-4: Thu Mar 08 12:18:25 Romance Standard 2918
%symavsfs-4: Fri Dec 15 00:12:45 Romance Standard 2017
%symavsfs-4: Fri Dec 15 00:17:50 Romance Standard 2017
But it is worst. the year of the timestamp is completely and Splunk changes the year with 2012, 2013 ...with a Strange algorithm.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try changing MAX_DAYS_HENCE= 10950 . Also try using TIME_FORMAT parameter.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
