Solved: Re: Why isn't the time being recognized?

ddrillic · ‎02-12-2018

A little bit strange as this time stamp is not being recognized -

skoelpin · ‎02-12-2018

This is because you did not set your base configs in props.conf and Splunk is guessing at your time format.

You should add this to your indexer(s), restart the Splunkd service and it will work properly.

[sourcetype]
TIME_PREFIX = ^ 
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3n

skoelpin · ‎02-12-2018

This is because you did not set your base configs in props.conf and Splunk is guessing at your time format.

You should add this to your indexer(s), restart the Splunkd service and it will work properly.

[sourcetype]
TIME_PREFIX = ^ 
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3n

ddrillic · ‎02-12-2018

Great @skoelpin. So which format(s) is being detected without configurations?

pradeepkumarg · ‎02-12-2018

What does your props.conf look like? Particularly TIME_FORMAT ?

ddrillic · ‎02-12-2018

nothing for now ; -)

Why isn't the time being recognized?