Splunk Search

PROPS Configuration file for data sources with timestamp more than 10 years

SplunkDash
Motivator

Hello,

I am getting some error messages within my PROPS Configuration file to parse timestamp data. The sample file/event, my props configuration, and error message are giving below. Any help will be highly appreciated. Thank you so much:

Sample Event:

<?xml version="1.0" encoding="ISO99991"?>

<SDWDATA>

<MDWDATA>

<TIMESTAMP>20110630143000</TIMESTAMP> 

 <USERTYPE>TEST</USERTYPE>

<SESSION>zx530</SESSION>

<IPADDR>142.225.163.60</IPADDR>

<SYSTEM>CDE</SYSTEM>

<EVENTID>NAMEE</EVENTID> <EVENTTYPE>SEARCH</EVENTTYPE>

<RETURNCODE>0102</RETURNCODE>

<ERRORMSG>None</ERRORMSG>

<ESTATCD>1</ESTATCD>

<TESTCODE>210</TESTCODE>

<FNUMBER>1321</FNUMBER>

<OUTPUTCODE>10</OUTPUTCODE>

<RCODE>ASDC</RCODE>

<NAMECTRL>TESTPWE</NAMECTRL>

<USERID>I00XY09</USERID>

<ACCESS>ngd</ACCESS>

<CAMPUSCODE>p</CAMPUSCODE>

<SRCCD>ab31</SRCCD>

<SLNR>123456</SLNR>

</MDWDATA>

<SDWDATA>

PROPS:

[ __auto__learned__ ]

SHOULD_LINEMERGE=true

LINE_BREAKER=([\r\n]*)<MODTRANSAUDTRL>

TIME_PREFIX=<TIMESTAMP>

TIME_FORMAT=%Y%m%d%H%M%S

MAX_TIMESTAMP_LOOKAHEAD=14

TRUNCATE=1000

 

ERROR Message:

malekmo_0-1643063843408.jpeg

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

The error should be quite self-explanatory. And the proposed solution as well.

Your date is from 2011, which is more than default 5.5 years ago limit.

Adjust your MAX_DAYS_AGO setting.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

The error should be quite self-explanatory. And the proposed solution as well.

Your date is from 2011, which is more than default 5.5 years ago limit.

Adjust your MAX_DAYS_AGO setting.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...