Hi, I am facing weird issue with timestamp recognition by splunk. Modified timestamp is 2016/11/26 but somehow I see 1998 in splunkd log. File is not getting indexed due to these errors.
Performed the following actions:
Set DATETIME_CONFIG=NONE in forwarder props and indexer props conf file. But I see the following errors:
01-31-2017 19:32:37.365 -0700 WARN DateParserVerbose - A possible timestamp match (Sun Dec 20 20:15:49 1998) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::/tmp/BT99P.BBMXDC48.EXTRACT_161129235057_0643
01-31-2017 19:32:21.236 -0700 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Jan 30 06:07:54 2014). Context: source::/tmp/BT99P.BBMXDC48.EXTRACT_161129235057_0643
Copying below btool output:
Forwarder:
23242 [test_abcd]
23243 ANNOTATE_PUNCT = True
23244 AUTO_KV_JSON = true
23245 BREAK_ONLY_BEFORE =
23246 BREAK_ONLY_BEFORE_DATE = false
23247 CHARSET = UTF-8
23248 DATETIME_CONFIG = NONE
23249 HEADER_MODE =
23250 LEARN_SOURCETYPE = true
23251 LINE_BREAKER_LOOKBEHIND = 100
23252 MAX_DAYS_AGO = 2000
23253 MAX_DAYS_HENCE = 2
23254 MAX_DIFF_SECS_AGO = 3600
23255 MAX_DIFF_SECS_HENCE = 604800
23256 MAX_EVENTS = 256
23257 MAX_TIMESTAMP_LOOKAHEAD = 128
23258 MUST_BREAK_AFTER =
23259 MUST_NOT_BREAK_AFTER =
23260 MUST_NOT_BREAK_BEFORE =
23261 NO_BINARY_CHECK = true
23262 SEGMENTATION = indexing
23263 SEGMENTATION-all = full
23264 SEGMENTATION-inner = inner
23265 SEGMENTATION-outer = outer
23266 SEGMENTATION-raw = none
23267 SEGMENTATION-standard = standard
23268 SHOULD_LINEMERGE = false
23269 TRANSFORMS =
23270 TRUNCATE = 10000
23271 detect_trailing_nulls = false
23272 disabled = false
23273 maxDist = 100
23274 priority =
23275 pulldown_type = true
23276 sourcetype =
Indexer props:
8891 [test_abcd]
8892 ANNOTATE_PUNCT = True
8893 AUTO_KV_JSON = true
8894 BREAK_ONLY_BEFORE =
8895 BREAK_ONLY_BEFORE_DATE = false
8896 CHARSET = UTF-8
8897 DATETIME_CONFIG = NONE
8898 HEADER_MODE =
8899 LEARN_SOURCETYPE = true
8900 LINE_BREAKER_LOOKBEHIND = 100
8901 MAX_DAYS_AGO = 2000
8902 MAX_DAYS_HENCE = 2
8903 MAX_DIFF_SECS_AGO = 3600
8904 MAX_DIFF_SECS_HENCE = 604800
8905 MAX_EVENTS = 256
8906 MAX_TIMESTAMP_LOOKAHEAD = 128
8907 MUST_BREAK_AFTER =
8908 MUST_NOT_BREAK_AFTER =
8909 MUST_NOT_BREAK_BEFORE =
8910 NO_BINARY_CHECK = true
8911 SEGMENTATION = indexing
8912 SEGMENTATION-all = full
8913 SEGMENTATION-inner = inner
8914 SEGMENTATION-outer = outer
8915 SEGMENTATION-raw = none
8916 SEGMENTATION-standard = standard
8917 SHOULD_LINEMERGE = false
8918 TRANSFORMS =
8919 TRUNCATE = 10000
8920 detect_trailing_nulls = false
8921 disabled = false
8922 maxDist = 100
8923 priority =
8924 pulldown_type = true
On OS linux file's timestamp:
File: `BT99P.BBMXDC48.EXTRACT_161129235057_0643'
Size: 18012132 Blocks: 35184 IO Block: 4096 regular file
Device: fd03h/64771d Inode: 524302 Links: 1
Access: (0755/-rwxr-xr-x) Uid: (617339/#####) Gid: (6000000/users)
Access: 2017-01-31 19:31:49.335197997 -0700
Modify: 2016-11-26 00:00:09.000000000 -0700
Change: 2017-01-31 19:14:56.740167230 -0700
Need to load old file with modified timestamp as 2016/11/26. Please advise settings need to be made.
... View more