Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure timestamp recognition

Most events do not require special timestamp handling. Splunk software recognizes and extracts their timestamps correctly. However, with some sources and distributed deployments, you might need to configure how timestamps are extracted, to ensure they are formatted properly.

There are two ways to configure timestamp extraction:

  • Use the "Set Sourcetype" page in Splunk Web to interactively adjust timestamps on sample data. Once you are happy with the results, you can save the changes to a new source type and then apply that source type to your data inputs. See The Set Sourcetype page.
  • Edit props.conf directly, as explained in this topic.

If you have Splunk Enterprise and need to modify timestamp extraction, perform the configuration on your indexer machines or, if you forward data, use heavy forwarders and perform the configuration on the machines where the heavy forwarders run. If you have Splunk Cloud and need to modify timestamp extraction, use heavy forwarders and perform the configuration on the machines where the heavy forwarders run.

The timestamp processor

The timestamp processor resides at $SPLUNK_HOME/etc/datetime.xml by default. You do not need to touch this file normally, unless you work with unusual, custom timestamps. If you need to configure timestamp recognition in some way, you can make the necessary changes by setting props.conf timestamp attributes, as described later in this topic.

If you have a custom timestamp that cannot be handled by configuring props.conf, substitute your own timestamp processor with the DATETIME_CONFIG attribute. This attribute specifies the file to be used by Splunk software for timestamp processing.

Edit timestamp properties in props.conf

To configure how Splunk software recognizes timestamps, edit props.conf. There are a number of attributes that pertain to timestamps. In particular, you can determine how Splunk software recognizes a timestamp by using the TIME_FORMAT attribute to specify a strptime() format for the timestamp.

You can also set other attributes that pertain to timestamps. This includes specifying where to look in an event for a timestamp, what time zone to use, or how to deal with timestamps of varying currency.

Edit the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. For information on configuration files in general, see About configuration files in the Admin manual.

To set timestamp recognition, configure one or more of the timestamp attributes in props.conf. Refer to the props.conf specification file for detailed information regarding these and other attributes.

Syntax overview

An overview of the syntax for the timestamp attributes follows: 

[<spec>]
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
TIME_PREFIX = <regular expression>
MAX_TIMESTAMP_LOOKAHEAD = <integer>
TIME_FORMAT = <strptime-style format>
TZ = <POSIX time zone string>
MAX_DAYS_AGO = <integer>
MAX_DAYS_HENCE = <integer>
MAX_DIFF_SECS_AGO = <integer>
MAX_DIFF_SECS_HENCE = <integer>

In this syntax, <spec> can be:

  • <sourcetype>, the source type of an event.
  • host::<host>, where <host> is the host value for an event.
  • source::<source>, where <source> is the source value for an event.

If an event contains data that matches the value of <spec>, then the timestamp rules specified in the stanza apply to that event. You can have multiple stanzas, to handle different <spec> values.

Timestamp validity attributes and their impact on events

By default, all events are indexed, unless you specifically filter out events through other means.

When you set the MAX_DAYS_AGO, MAX_DAYS_HENCE, MAX_DIFF_SECS_AGO, or MAX_DIFF_SECS_HENCE attributes in a stanza, and event timestamps fall outside of the parameters of the attributes, then the software uses the following algorithm to determine the timestamp:

  • The software uses the timestamp of the previous event to assign the timestamp of the current event.
  • If the timestamp of the previous event can't be determined, then the software uses the current index time to assign a timestamp to the event.

Events are not dropped if they fall outside of the parameters of these attributes.

Timestamp attributes

You can set the following timestamp attributes with props.conf.

Attribute Description Default
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME> Specify a file to use to configure the Splunk timestamp processor.

Under normal circumstances, you do not need to create your own timestamp processor file or modify the default datetime.xml file. The other props.conf attributes, described in this topic, can usually tweak the timestamp recognition capability to meet your needs. However, if your data has a custom timestamp format, you might need to substitute your own version of this file.

Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk software does not look at the text of the event for the timestamp--it instead uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs, the event timestamp is taken from from the modification time of the input file.

Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

$SPLUNK_HOME/etc/datetime.xml
TIME_PREFIX = <regular expression> When set, Splunk software uses the specified regular expression to looks for a match before attempting to extract a timestamp. The timestamp algorithm only looks for a timestamp in the event text that follows the end of the first regular expression match.

You should use a regular expression that points exactly before your event's timestamp. For example, if the timestamp follows the phrase abc123 in your events, you should set TIME_PREFIX to abc123.

If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place.

empty string
MAX_TIMESTAMP_LOOKAHEAD = <integer> Specify how far (how many characters) into an event Splunk software should look for a timestamp.

This constraint is applied starting from the location positioned by TIME_PREFIX.

For example, if TIME_PREFIX positions a location 11 characters into the event, and MAX_TIMESTAMP_LOOKAHEAD is set to 10, timestamp extraction will be constrained to characters 11 through 20.

If set to 0 or -1, the length constraint for timestamp recognition is effectively disabled. This can have negative performance implications which scale with the length of input lines (or with event size when LINE_BREAKER is redefined for event splitting).

128 characters
TIME_FORMAT = <strptime-style format> Specifies a strptime() format string to extract the timestamp.

strptime() is a Unix standard for designating time formats. For more information, see the section Enhanced strptime() support, below.

TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there is no TIME_PREFIX attribute). If you use a TIME_PREFIX, it must match up to and including the character before the timestamp begins. If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk software will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime. (It's possible that you will still end up with a valid timestamp, based on how Splunk software attempts to recover from the problem.)

For best results, the <strptime-style format> should describe the day of the year and the time of day.

If <strptime-style format> contains an hour component, but no minute component, TIME_FORMAT ignores the hour component. It treats the format as an anomaly and considers the precision to be date-only.

empty string
TZ = <timezone_identifier> The time zone of an event is determined as follows:
  • If the event has a time zone in its raw text (such as UTC or -08:00), use that.
  • Otherwise, if TZ is set to a valid time zone string, use that. Specify a time zone setting using a value from the zoneinfo TZ database.
  • If an event that arrives at an indexer has originated from a forwarder, and both indexer and forwarder are version 6.0 or later, then use the time zone that the forwarder provides.
  • Otherwise, use the time zone of the system that runs splunkd.

For more details and examples, see Specify time zones of timestamps in this manual.

empty string
TZ_ALIAS = <key=value>[,<key=value>]... Provides admin-level control over how time zone strings extracted from events are interpreted. For example, EST can mean Eastern (US) Standard Time or Eastern (Australian) Standard Time. There are many other three letter time zone acronyms with multiple expansions.

There is no requirement to use TZ_ALIAS if the traditional Splunk default mappings for these values work as expected. For example, EST maps to the Eastern US by default.

Has no effect on the TZ value. It affects only time zone strings from event text, either from any configured TIME_FORMAT or from pattern-based guess fallback.

The setting is a list of key=value pairs, separated by commas.

The key is matched against the text of the time zone specifier of the event, and the value is the time zone specifier to use when mapping the timestamp to UTC/GMT.

The value is another TZ specifier that expresses the desired offset.

Example: TZ_ALIAS = EST=GMT+10:00 (See the props.conf example file in the Configuration File Reference for more examples).

not set
MAX_DAYS_AGO = <integer> Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid.

For example, if MAX_DAYS_AGO = 10, Splunk software ignores dates older than 10 days from the current date and instead either uses the timestamp of the previous event, or uses the current index time of the event if it cannot determine a timestamp in the previous event.

The maximum settable number of days in the past is 10951.

2000 days

Note: If you have data that is more than 2000 days old, increase this setting.

MAX_DAYS_HENCE = <integer> Specifies the maximum number of days in the future from the current date that an extracted date can be valid.

For example, if MAX_DAYS_HENCE = 3, the software ignores dates that are more than 3 days in the future and instead either uses the timestamp of the previous event, or uses the current index time of the event if it cannot determine a timestamp from the previous event.

Note: False positives are less likely with a tighter window. Change this attribute with caution.

If your servers have the wrong date set or are in a time zone that is one day ahead, set this value to at least 3.

This allows timestamp extractions that are up to a day in the future.

The maximum settable number of days is 10950.

2 days
MAX_DIFF_SECS_AGO = <integer> If the event timestamp is more than <integer> seconds before the previous timestamp, Splunk software accepts it only if it has the same time format as the majority of timestamps from the source.

If your timestamps are wildly out of order, consider increasing this value.

The maximum settable number of seconds is 2147483646.

3600 seconds (1 hour)
MAX_DIFF_SECS_HENCE = <integer> If the event's timestamp is more than <integer> seconds after the previous timestamp, Splunk only accepts it if it has the same time format as the majority of timestamps from the source.

If your timestamps are wildly out of order, or if you have logs that are written less than once a week, consider increasing this value.

The maximum settable number of seconds is 2147483646.

604800 seconds (1 week)

Enhanced strptime() support

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk software implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats include:

%N For GNU date-time nanoseconds. Specify any sub-second parsing by providing the width: %3N = milliseconds, %6N = microseconds, %9N = nanoseconds.
%Q,%q For milliseconds, microseconds for Apache Tomcat. %Q and %q can format any time resolution if the width is specified.
%I For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.
%+ For standard Unix date format timestamps.
%v For BSD and OSX standard date format.
%Z The time zone abbreviation (nothing if there is no time zone information.)
%z, %:z, %::z The time zone offset designator in International Organization for Standardization (ISO) 8601 format (for example, -0800 for PST, +0000 for GMT, or nothing if the time zone cannot be determined.) Use %:z if the timestamp offset contains hours and minutes (for example, -08:00) and %::z if the timestamp offset contains hours, minutes, and seconds (for example, -08:00:00.)
%o For AIX timestamp support (%o used as an alias for %Y).
%p The locale's equivalent of AM or PM. (Note: there may be none.)
%s Epoch (10 digits)

Note: A strptime() expression that ends with a literal dot and subsecond specifier such as %Q, %q, %N treats the terminal dot and conversion specifier as optional. If the .subseconds portion is absent from the text, the timestamp is still extracted.

strptime() format expression examples

Here are some sample date formats, with the strptime() expressions that handle them:

1998-12-31 %Y-%m-%d
98-12-31 %y-%m-%d
1998 years, 312 days %Y years, %j days
Jan 24, 2003 %b %d, %Y
January 24, 2003 %B %d, %Y
1397477611.862 %s.%3N

Note: Splunk software does not recognize non-English month names in timestamps. If you have an app that writes non-English month names to log files, reconfigure the app to use numerical months, if possible.

Examples

Your data might contain an easily recognizable timestamp, such as:

...FOR: 04/24/07 PAGE 01...

To extract that timestamp, add this stanza in props.conf: 

[host::foo]
TIME_PREFIX = FOR: 
TIME_FORMAT = %m/%d/%y

Another example that includes time zone information:

Valid_Until=Thu Dec 31 17:59:59 GMT-06:00 2020

To extract the timestamp, add this to props.conf: 

[host::bar]
TIME_PREFIX = Valid_Until=
TIME_FORMAT = %a %b %d %H:%M:%S %Z%z %Y

Your data might contain other information that is parsed as timestamps, for example:

...1989/12/31 16:00:00 Wed May 23 15:40:21 2007...

Splunk software extracts the date as Dec 31, 1989, which is not useful. In this case, configure props.conf to extract the correct timestamp from events from host::foo: 

[host::foo]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s
TIME_FORMAT = %b %d %H:%M:%S %Y

This configuration assumes that all timestamps from host::foo are in the same format. Configure your props.conf stanza to be as granular as possible to avoid potential timestamping errors.

For more information on extracting the correct timestamp from events containing multiple timestamps, see Configure timestamp assignment for events with multiple timestamps.

Configure timestamps for specific needs

You can use the attributes described in this topic to configure the timestamp extraction processor for some specialized purposes, such as:

Configure how timestamps appear in search results

You can use your browser locale setting to configure how Splunk Web displays timestamps in search results. For information on setting the browser locale, see User language and locale.

Reconfigure how timestamps appear in raw data

Even though Splunk software uses the browser locale to configure how timestamps appear in search results, the raw data still remains in its original format. You might want to change this so that the data format is standardized in both raw data and search results. Do this with props.conf and transforms.conf. Here is an example:

Assume the timestamp data in the raw event looks like this: 

06/07/2011 10:26:11 PM

but you want it to look like this (to correspond with how it appears in search results): 

07/06/2011 10:26:11 PM

This example shows briefly how you can use props.conf and transforms.conf to transform the timestamp in the raw event.

In transforms.conf, add this stanza: 

[resortdate]
REGEX = ^(\d{2})\/(\d{2})\/(\d{4})\s([^/]+)
FORMAT = $2/$1/$3 $4
DEST_KEY = _raw

In props.conf, add this stanza, where <spec> qualifies your data: 

[<spec>]
TRANSFORMS-sortdate = resortdate

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around timestamp recognition and configuration.

Last modified on 03 February, 2020
PREVIOUS
How timestamp assignment works 		  NEXT
Configure timestamp assignment for events with multiple timestamps

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters