How do I get Splunk to recognize the full Date AND...

jimmitch923 · ‎07-26-2016

Event lines look like this
{I5K5-M8HD47HI-6694GOIH},01/02/2010 07:13:39,NLR0174,PC-8272,Connect

Everything I've tried only recognizes the time...but not the date.
TIME_FORMAT = %d/%m/%Y %H:%M:%S
TIME_PREFIX = {.+}\,

Help please!

Jeremiah · ‎07-26-2016

Are the dates really that old? You may need to increase MAX_DAYS_AGO. Does it work differently for more recent timestamps?

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an
  extracted date can be valid. Splunk still indexes events with dates older
  than MAX_DAYS_AGO with the timestamp of the last acceptable event. If no 
  such acceptable event exists, new events with timestamps older than MAX_DAYS_AGO 
  will use the current timestamp.
* For example, if MAX_DAYS_AGO = 10, Splunk applies the timestamp of the last 
  acceptable event to events with extracted timestamps older than 10 days in 
  the past. If no acceptable event exists, Splunk applies the current timestamp.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.

sheron_splunk · ‎07-26-2016

Have you tried using MAX_TIMESTAMP_LOOKAHEAD=19 ?

How do I get Splunk to recognize the full Date AND Time in the timestamp of this CSV?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk