Solved: How to limit date timestamp parsing view? - Splunk Community

Getting Data In

I have a proxy server that is double date stamping events. This is not normally an issue, but I ran into a hydridization of these dates when the 2 date stamps differ:

  Jul 27 23:59:59 name01 name01.coname.dom: <Mon, 28 Jul 2014 00:00:00,EDT> xxxpayloadxxx

Splunk date-stamped this event as 7/28/2014 23:59:59. We are utilizing Splunk's default time stamp parsing for this source.

I want Splunk to stop looking for a date after 16 characters. My understanding for the max_timestamp_lookahead in props.conf tells Splunk where to start, not stop.

Any guidance is appreciated. Thanks

1 Solution

Solution

You can specify this:

TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16

The prefix tells it where to start, and the lookahead where to stop. Additionally, you could specify an appropriate TIME_FORMAT.

View solution in original post

Solution

You can specify this:

TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 16

The prefix tells it where to start, and the lookahead where to stop. Additionally, you could specify an appropriate TIME_FORMAT.

Awesome - thanks!

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...