splunk props timestamp issue

kirrusk · ‎06-25-2021

I have a CSV file with the below data, trying to push to Splunk.

Example -

Thu JUN 24 15:27:52 +08 2021,name1,address1,Thu JUN25 12:27:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name2,address2,Thu JUN 25 03:65:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name3,address3,Thu JUN 25 05:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name4,address4,Thu MAY26 06:25:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name5,address5,Thu MAY26 06:15:52 +08 2021,Active

Thu JUN 24 15:27:52 +08 2021,name6,address6,Thu JAN14 07:15:52 +08 2021,Active

props setting

in props using fourth field as timestamp.

SHOULD_LINEMERGE= FALSE
FIELD_DELIMETER=,
HEADER_FIELD_DELIMETER=,
FIELD_NAMES=Time,names,address,creationtime,status
TIMESTAMP_FIELDS=creationtime
TZ=Asia/Singapore

by using the above props I can able to push only the latest date data, other events are missing in Splunk.

for example, I can see only JUN25th data. remaining events are missing.

Can someone explain, what might be the cause.

smurf · ‎06-25-2021

I would try looking at timestamp extraction configuration. Specifically MAX_DAYS_AGO and MAX_DIFF_SECS_AGO in props.conf

It could be the case that Splunk thinks that your events are far in the past and therefore not indexing them.

splunk props timestamp issue

field extraction

fields

regex

rex

search job inspector

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Are you a member of the Splunk Community?

splunk props timestamp issue