Re: splunk props timestamp issue

kirrusk · ‎06-25-2021

I have a CSV file with the below data, trying to push to Splunk.

Example -

Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu JUN25 12:27:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name2,address2,Thu JUN 25 03:65:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name3,address3,Thu JUN 25 05:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name4,address4,Thu MAY26 06:25:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name5,address5,Thu MAY26 06:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name6,address6,Thu JAN14 07:15:52 +08 2021,Active

props setting

in props using fourth field as timestamp.

SHOULD_LINEMERGE= FALSE
FIELD_DELIMETER=,
HEADER_FIELD_DELIMETER=,
FIELD_NAMES=Time,names,address,creationtime,status
TIMESTAMP_FIELDS=creationtime
TZ=Asia/Singapore

by using the above props I can able to push only the latest date data, other events are missing in Splunk.

for example, I can see only JUN25th data. remaining events are missing.

Can someone explain, what might be the cause.

smurf · ‎06-25-2021

I would try looking at timestamp extraction configuration. Specifically MAX_DAYS_AGO and MAX_DIFF_SECS_AGO in props.conf

It could be the case that Splunk thinks that your events are far in the past and therefore not indexing them.

splunk props timestamp issue

field extraction

fields

regex

rex

search job inspector

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

splunk props timestamp issue