I am trying to extract timestamp. But instead of 2007, Splunk is extracting 2013 which is not at all in my event. Could someone please advise me how to fix this problem?
<38>Dec 14 06:24:30 10.2.1.30 SAFEART: Auditnumber="FFFE02F1677334EBBD36",TimeReported="2007/12/14 06:19:29",TimeReceived="2007/12/14
Props.conf
[xxx_logs]
TIME_PREFIX = TimeReported=
TIME_FORMAT = %Y/%m/%d %H:%M:%S
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)<\d{2}>\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
Here's what's missing from your settings: MAX_DAYS_AGO=4000
If you check out the spec for props.conf you'll see this setting and the explanation:
MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**
Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.
You also want to change TIME_PREFIX = Time Reported=
to TIME_PREFIX = Time Reported="
If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.
Here's what's missing from your settings: MAX_DAYS_AGO=4000
If you check out the spec for props.conf you'll see this setting and the explanation:
MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
*** IMPORTANT: If your data is older than 2000 days, increase this setting.**
Note that last line... and the one above it. If you don't tell Splunk that it's legit to have a date that's from over 10 years ago... it assumes it's corrupted if it just pops in there... (if it's part of a giant backfill...Splunk will get the message because the dates are consecutive) I don't really have an explanation for the 2013 (my example came up with 2012 using your event)... except that Splunk is trying really hard to make sense of a date you've indicated by omission, is younger than 2000 days ago.
You also want to change TIME_PREFIX = Time Reported=
to TIME_PREFIX = Time Reported="
If you check it out with the Add Data Wizard, (without my changes) you'll see messages explaining these things. When you don't include the quote in the prefix, (it is... part of what comes right before the date) Splunk will not really know exactly what to do with it and the message you'll see in the Wizard explains it's trying to figure out which date is the one you want. Splunk tries really, really hard to extract the timestamp and it will latch on to anything that even remotely looks like one. So it's best to be sure you're giving it the specific directives that lead it to the one you want... especially when there are several in one event.