Splunk Version: 7.1
I have a custom time stamp field in my JSON records in this format, "_timestamp"="1/3/2013 10:12:56.000 PM".
On uploading the record Splunk picks up the custom timestamp and assigns it to _time, however when the year is before 2012 i.e.
"_timestamp"="1/3/2012 10:12:56.000 PM" or "_timestamp"="1/3/2011 10:12:56.000 PM" splunk throws an error that it cannot use regex to parse the timestamp.
I have been beating my head around this and would love to know the solution for this.
P.S. i have not changed any configuration in props.conf, splunk automatically picks up the custom timestamp as it is in the exact format.
... View more