Solved: Date Time parsed incorrectly

rmorlen · ‎08-07-2013

We have data coming into Splunk that looks like:

DATA_FEED[00ZA044]:08/07 06:59:59 Got 'ABCDL NO PENDING TRANSACTIONS FOUND FOR REQUEST ' in file - LaLaStuff

DATA_FEED[00ZA044]:08/07 06:59:59 Queued time was 1.02, starting up a slave.

DATA_FEED[64946350]:08/07 06:59:59 Connecting to DB.

DATA_FEED[00ZA031]:08/07 06:59:59 received 'get_pending_orders:0038:12345678901'

The date/time is being parsed incorrectly. Splunk is reading the date for the above as 07/06/2008 which is really screwing things up.

We then modified the props and added:
TIME_FORMAT = %m/%d %H:%M:%S

Bounced all the searchheads and indexers with the new props. Still coming in wrong.

kristian_kolb · ‎08-07-2013

Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.

props.conf

[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20

Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/Kristian

View solution in original post

rmorlen · ‎08-07-2013

Thanks. Not getting errors. Just being parsed incorrectly.

Ayn · ‎08-07-2013

Search heads will not need any updating - timestamp parsing is a pure index-time operation. Consider looking in splunkd.log for errors related to this (the timestamp processor is generally pretty good at throwing errors in the log).

kristian_kolb · ‎08-07-2013

Would adding the following be of any help? Also, make sure that you add this config to the correct link in the chain, i.e. where the parsing phase occurs. That is normally the indexer, but if your data passes through a Heavy Forwarder before reaching the Indexers, the configs should go there. No need to put it on a dedicated Search Head, though it can't really hurt.

props.conf

[your_sourcetype]
TIME_PREFIX = \]:
MAX_TIMESTAMP_LOOKAHEAD = 20

Don't forget to restart - for more info, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/Kristian

linu1988 · ‎08-07-2013

I use it and it works great for the new indexed data!! Am i doing anything wrong without knowing!!!

rmorlen · ‎08-07-2013

Thanks.

This works great.

TIME_FORMAT=%m/%d %H:%M:%S
TIME_PREFIX=\]:

Pushed the updated props.conf to the appropriate places. It did NOT require a restart or a refresh.

alacercogitatus · ‎08-07-2013

Unfortunately, linu1988, time recognition isn't one that can be hit with a debug/refresh. That one requires the Indexer restarts as kristian.kolb mentioned.

Ayn · ‎08-07-2013

No, you can't use the /debug/refresh endpoint for this. Any changes to settings affecting index-time behaviour requires a restart to take effect.

linu1988 · ‎08-07-2013

Don't use the full prefix the answer posted is correct, As time prefix only needed to be unique just before the timestamp starts. And FYI if you want the configs to update without restart you can use the below link, new changes will be done.

_http://server:8000/en-US/debug/refresh

expect some of the configs minor changes can be done with it 🙂

rmorlen · ‎08-07-2013

Thanks. I will give that a try. Can't bounce our indexers until tonight (too many users).

I am also looking at: TIME_PREFIX = ^[^\]]+\]\:

Thanks for the link. Very useful.

Date Time parsed incorrectly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation