Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure timestamp recognition

Most events don't require any special timestamp handling. Splunk automatically recognizes and extracts their timestamps. However, for some sources and distributed deployments, you might need to configure how Splunk extracts timestamps, so that they format properly.

There are two ways to configure timestamp extraction:

  • Use the data preview feature to interactively adjust timestamps on sample data. Once you're happy with the results, you can save the changes to a new source type and then apply that source type to your data inputs. See the chapter "Preview your data".
  • Edit props.conf directly. For information on how to edit props.conf for timestamp extraction, read on!

Splunk's timestamp processor

Splunk's timestamp processor is located by default in $SPLUNK_HOME/etc/datetime.xml. You ordinarily do not need to touch this file, unless you're dealing with unusual, custom timestamps. If you need to configure timestamp recognition in some way, you can usually make the necessary changes by setting props.conf timestamp attributes, as described below.

If you have a custom timestamp that can't be handled by configuring props.conf, you can substitute your own timestamp processor with the DATETIME_CONFIG attribute, described in the next section. This attribute specifies the file Splunk should use for timestamp processing.

Edit timestamp properties in props.conf

To configure how Splunk recognizes timestamps, edit props.conf. There are a number of attributes that pertain to timestamps. In particular, you can determine how Splunk recognizes a timestamp by using the TIME_FORMAT attribute to specify a strptime() format for the timestamp. You can also set other attributes pertaining to timestamps; for example, to specify where a timestamp is located in an event, what time zone to use, or how to deal with timestamps of varying currency.

Edit the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see "About configuration files" in the Admin manual.

To set Splunk's timestamp recognition, configure one or more of the timestamp attributes in props.conf. Refer to the props.conf specification file for detailed information regarding these and other attributes.

Syntax overview

Here's an overview of the syntax for the timestamp attributes:

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
TIME_PREFIX = <regular expression>
TIME_FORMAT = <strptime-style format>
TZ = <posix time zone string>
MAX_DAYS_AGO = <integer>
MAX_DAYS_HENCE = <integer>
MAX_DIFF_SECS_AGO = <integer>

In this syntax, <spec> can be:

  • <sourcetype>, the source type of an event.
  • host::<host>, where <host> is the host value for an event.
  • source::<source>, where <source> is the source value for an event.

If an event contains data that matches the value of <spec>, then the timestamp rules specified in the stanza apply to that event. You can have multiple stanzas, to handle different <spec> values.

Timestamp attributes

These are the timestamp attributes settable through props.conf:

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>

  • Specify a file to use to configure Splunk's timestamp processor.
  • By default, Splunk uses $SPLUNK_HOME/etc/datetime.xml as the timestamp processor.
  • Under normal circumstances, you will not need to create your own timestamp processor file or modify Splunk's default datetime.xml file. The other props.conf attributes, described in this topic, can usually tweak Splunk's timestamp recognition capability to meet your needs. However, if your data has a custom timestamp format, you might need to substitute your own version of this file.
  • Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk does not look at the text of the event for the timestamp--it instead uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs, this means that Splunk derives the event timestamp from the modification time of the input file.
  • Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.
  • Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

TIME_PREFIX = <regular expression>

  • When set, Splunk looks for a match for this regex in the event text before attempting to extract a timestamp. The timestamp algorithm only looks for a timestamp in the event text that follows the end of the first regex match.
  • You should use a regular expression that points exactly before your event's timestamp. For example, if the timestamp follows the phrase abc123 in your events, you should set TIME_PREFIX to abc123.
  • If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place.
  • Defaults to empty string.


  • Specify how far (how many characters) into an event Splunk should look for a timestamp.
  • This constraint is applied starting from the location positioned by TIME_PREFIX.
    • For example, if TIME_PREFIX positions a location 11 characters into the event, and MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 11 through 20.
  • If set to 0 or -1, the length constraint for timestamp recognition is effectively disabled. This can have negative performance implications which scale with the length of input lines (or with event size when LINE_BREAKER is redefined for event splitting).
  • Default is 150 characters.

TIME_FORMAT = <strptime-style format>

  • Specifies a strptime() format string to extract the timestamp.
  • strptime() is a Unix standard for designating time formats. For more information, see the section "Enhanced strptime() support", below.
  • TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute). If you use a TIME_PREFIX, it must match up to and including the character before the timestamp begins. If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime. (It's possible that you will still end up with a valid timestamp, based on how Splunk attempts to recover from the problem.)
  • For best results, the <strptime-style format> should describe the day of the year and the time of day.
  • If <strptime-style format> contains an hour component, but no minute component, TIME_FORMAT ignores the hour component. It treats the format as an anomaly and considers the precision to be date-only.
  • Default is empty.

TZ =

  • Splunk's logic for determining a particular event's time zone is as follows:
    • If the event has a time zone in its raw text (such as <code>UTC</code> or <code>-08:00</code>), use that.
    • Otherwise, if TZ is set to a valid time zone string, use that. Specify a time zone setting using a value from the zoneinfo TZ database.
    • Otherwise, use the time zone of the system that is running <code>splunkd</code>.
  • For more details and examples, see "Specify time zones of timestamps" in this manual.
  • Defaults to empty.

<code>TZ_ALIAS = <key=value>[,<key=value>]...</code>

  • Provides admin-level control over how timezone strings extracted from events are interpreted. For example, EST can mean Eastern (US) Standard Time or Eastern (Australian) Standard Time. There are many other three letter timezone acronyms with multiple expansions.
  • There is no requirement to use <code>TZ_ALIAS</code> if the traditional Splunk default mappings for these values work as expected. For example, EST maps to the Eastern US by default.
  • Has no effect on the <code>TZ</code> value. It affects only timezone strings from event text, either from any configured <code>TIME_FORMAT</code> or from pattern-based guess fallback.
  • The setting is a list of <code>key=value</code> pairs, separated by commas.
  • The key is matched against the text of the timezone specifier of the event, and the value is the timezone specifier to use when mapping the timestamp to UTC/GMT.
  • The value is another <code>TZ</code> specifier that expresses the desired offset.
  • Example: <code>TZ_ALIAS = EST=GMT+10:00</code> (See the props.conf example file in the Configuration File Reference for more examples).
  • Defaults to unset.

<code>MAX_DAYS_AGO = <integer></code>

  • Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid.
  • For example, if <code>MAX_DAYS_AGO = 10</code>, Splunk ignores dates older than 10 days from the current date.
  • Default is 2000; maximum is 10951.
  • Note: If you have data that is more than 2000 days old, increase this setting.

<code>MAX_DAYS_HENCE = <integer></code>

  • Specifies the maximum number of days in the future from the current date that an extracted date can be valid.
  • For example, if <code>MAX_DAYS_HENCE = 3</code>, dates that are more than 3 days in the future are ignored.
  • Important: False positives are less likely with a tighter window; change with caution.
  • If your servers have the wrong date set or are in a time zone that is one day ahead, set this value to at least 3.
  • Defaults to 2. This allows timestamp extractions that are up to a day in the future. Maximum is 10950.

<code>MAX_DIFF_SECS_AGO = <integer></code>

  • If the event's timestamp is more than <code><integer></code> seconds before the previous timestamp, Splunk only accepts it if it has the same time format as the majority of timestamps from the source.
  • Important: If your timestamps are wildly out of order, consider increasing this value.
  • Defaults to 3600 (one hour), maximum is 2147483646.

<code>MAX_DIFF_SECS_HENCE = <integer></code>

  • If the event's timestamp is more than <code><integer></code> seconds after the previous timestamp, Splunk only accepts it if it has the same time format as the majority of timestamps from the source.
  • Important: If your timestamps are wildly out of order, or if you have logs that are written less than once a week, consider increasing this value.
  • Defaults to 604800 (one week), maximum is 2147483646.

Enhanced strptime() support

Use the <code>TIME_FORMAT</code> attribute in <code>props.conf</code> to configure timestamp parsing. This attribute takes a <code>strptime()</code> format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table:

 %N For GNU date-time nanoseconds. Specify any sub-second parsing by providing the width: %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.
%Q,%q For milliseconds, microseconds for Apache Tomcat. %Q and %q can format any time resolution if the width is specified.
%I For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
%+ For standard Unix date format timestamps.
 %v For BSD and OSX standard date format.
%Z, %z, %::z, %:::z GNU libc support.
%o For AIX timestamp support (%o used as an alias for %Y).
%p The locale's equivalent of AM or PM. (Note: there may be none.)

Note: A strptime expression that ends with a literal dot and subsecond specifier such as %Q, %q, %N will treat the terminal dot and conversion specifier as optional. If the .subseconds portion is absent from the text, it will still extract.

strptime() format expression examples

Here are some sample date formats, with the <code>strptime()</code> expressions that handle them:

1998-12-31  %Y-%m-%d
98-12-31  %y-%m-%d
1998 years, 312 days  %Y years, %j days
Jan 24, 2003  %b %d, %Y
January 24, 2003  %B %d, %Y
q|25 Feb '03 = 2003-02-25| q|%d %b '%y = %Y-%m-%d|

Note: Splunk does not currently recognize non-English month names in timestamps. If you have an app that's writing non-English month names to log files, reconfigure the app to use numerical months, if possible.


Your data might contain an easily recognizable timestamp, such as:

...<code>FOR: 04/24/07 PAGE 01</code>...

To extract that timestamp, add this stanza in <code>props.conf</code>:

TIME_FORMAT = %m/%d/%y

Your data might contain other information that Splunk parses as timestamps, for example:

...<code>1989/12/31 16:00:00 ed May 23 15:40:21 2007</code>...

Splunk extracts the date as Dec 31, 1989, which is not useful. In this case, configure <code>props.conf</code> to extract the correct timestamp from events from <code>host::foo</code>:

TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s
TIME_FORMAT = %b %d %H:%M:%S %Y

This configuration assumes that all timestamps from <code>host::foo</code> are in the same format. Configure your <code>props.conf</code> stanza to be as granular as possible to avoid potential timestamping errors.

For detailed information on extracting the correct timestamp from events containing multiple timestamps, see "Configure timestamp assignment for events with multiple timestamps".

Configure timestamps for specific needs

You can use the attributes described in this topic to configure Splunk's timestamp extraction processor for some specialized purposes, such as:

Configure how timestamps appear in search results

You can use your browser's locale setting to configure how the browser formats Splunk timestamps in search results. For information on setting the browser locale, see "User language and locale".

Reconfigure how timestamps appear in raw data

Even though Splunk uses the browser locale to configure how timestamps appear in search results, the data still remains in its original format in the raw data. You might want to change this, so that the data format is standardized in both raw data and search results. You can do this by means of <code>props.conf</code> and <code>transforms.conf</code>. Here's an example:

Assume the timestamp data in the raw event looks like this:

06/07/2011 10:26:11 PM

but you want it to look like this (to correspond with how it appears in search results):

07/06/2011 10:26:11 PM

This example shows briefly how you can use <code>props.conf</code> and <code>transforms.conf</code> to transform the timestamp in the raw event.

In <code>transforms.conf</code>, add this stanza:

REGEX = ^(\d{2})\/(\d{2})\/(\d{4})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw 

In <code>props.conf</code>, add this stanza, where <code><spec></code> qualifies your data:

TRANSFORMS-sortdate = resortdate


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around timestamp recognition and configuration.

How timestamp assignment works
Configure timestamp assignment for events with multiple timestamps

This documentation applies to the following versions of Splunk® Enterprise: 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Hi, <br />How can I configure Splunk to use the day/month and time from the file but pull the year from the filename? I have logs that contain the time, day/month at the start of every entry however, when set to 'Auto' Splunk often sets the incorrect year. Also in addition to being in the filename, each log contains the year in the first log entry. Here is an example:<br />The file name is #newsroom.20080826.txt<br /><br />Session Start: Tue Aug 26 00:00:01 2008<br />Session Ident: #newsroom<br />[00:00.29 8/26] 00:00ET *DJ US Diplomat Escapes Attack In Pakistan - Police<br /><br />Thank you

July 8, 2013

hi Davidjehoul, i recommend you ask this on http://answers.splunk.com if you have not already found an answer to your question.

Rachel, Splunker
March 7, 2013

Hi,<br />I'm trying to redefine the timestamp for my resource that contains data as follows:<br /><br />DBInit-27,21/02/2013 9:28:26,22/02/2013 16:30:16,0,R_1812,0,Netscape3.0,0,0,3,,,ohm-web-7.9.0-SNAPSHOT (6f5d6 - 2013-02-26 13:58:14),20130301_110723,1/03/2013 11:12:38,1/03/2013 11:12:45,7,True,DAVIDJ-3500,x86,4<br /><br />By default, the timestamp that is extracted is the first one that it encounters, being 21/02/2013 9:28:26 in this case. However, I want to make the timestamp to be 1/03/2013 11:12:38 (the one before the last timestamp). For this, I added the following in C:\Program Files\Splunk\etc\apps\search\default\props.conf:<br /><br />[source::C:\\Temp\\testResultLog.csv]<br />TIME_PREFIX = \d{8}_\d{6},<br />TIME_FORMAT = %d/%m/%y %H:%M:%S<br /><br />The regex matches '20130301_110723,' expecting to define the timestamp as I desire, as is explained in the manual.<br />Unfortunately, this has no effect; I tried to stop and start splunk; did a C:\\Temp\\testResultLog.csv | extract reload=T; all to no effect ..

March 1, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters