Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestamp matching outside of the acceptable window

yog123
New Member
‎10-11-2019 10:45 PM

getting below error after upgrade to latest splunk version:
10-11-2019 08:02:49.775 +0000 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Sun Nov 10 09:02:47 2019) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=C:\splunk_file\DMVPN Daily Config Backup.txt|host=DTRAFLON2K121|ncm|1584

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-12-2019 09:53 AM

It is clear to me. Your event with timestamp 10-11-2019 08:02:49.775 +0000 is being *mis*interpreted as Sun Nov 10 09:02:47 2019 instead of Sat Oct 11 09:02:47 2019. This is almost always because you are letting Splunk guess at your timestamp instead of TELLING IT yourself. You need to create a props.conf with these settings:

TIME_PREFIX = <Your RegEx Here>
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%3N %z
MAX_TIMESTAMP_LOOKAHEAD = 29

NEVER let Splunk guess at anything.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2019 05:12 AM

It appears as though Splunk is using a month-day-year time format instead of day-month-year. To confirm that, please share some sample events (sanitized as necessary) as well as the TIME_FORMAT setting for that sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...