splunk props timestamp issue

kirrusk · ‎06-25-2021

I have a CSV file with the below data, trying to push to Splunk.

Example -

Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu JUN25 12:27:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name2,address2,Thu JUN 25 03:65:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name3,address3,Thu JUN 25 05:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name4,address4,Thu MAY26 06:25:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name5,address5,Thu MAY26 06:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name6,address6,Thu JAN14 07:15:52 +08 2021,Active

props setting

in props using fourth field as timestamp.

SHOULD_LINEMERGE= FALSE
FIELD_DELIMETER=,
HEADER_FIELD_DELIMETER=,
FIELD_NAMES=Time,names,address,creationtime,status
TIMESTAMP_FIELDS=creationtime
TZ=Asia/Singapore

by using the above props I can able to push only the latest date data, other events are missing in Splunk.

for example, I can see only JUN25th data. remaining events are missing.

Can someone explain, what might be the cause.

smurf · ‎06-25-2021

I would try looking at timestamp extraction configuration. Specifically MAX_DAYS_AGO and MAX_DIFF_SECS_AGO in props.conf

It could be the case that Splunk thinks that your events are far in the past and therefore not indexing them.

splunk props timestamp issue

field extraction

fields

regex

rex

search job inspector

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way