https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572974#M10527 <P>Yeah I don't know what I'm doing, but thanks for pointing that out.&nbsp; I appreciate the untactful assist.</P> Fri, 29 Oct 2021 14:33:33 GMT walsborn 2021-10-29T14:33:33Z https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572892#M10522 <P>Hi all,</P><P>I keep getting "<SPAN class="">DateParserVerbose</SPAN> [<SPAN class="">6827</SPAN> <SPAN class="">merging</SPAN>] <SPAN class="">-</SPAN> <SPAN class="">Failed</SPAN> <SPAN class="">to</SPAN> <SPAN class="">parse</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">in</SPAN> <SPAN class="">first</SPAN> <SPAN class="">MAX_TIMESTAMP_LOOKAHEAD</SPAN> (<SPAN class="">75</SPAN>) <SPAN class="">characters</SPAN> <SPAN class="">of</SPAN> <SPAN class="">event.</SPAN> <SPAN class="">Defaulting</SPAN> <SPAN class="">to</SPAN> <SPAN class="">timestamp</SPAN> <SPAN class="">of</SPAN> <SPAN class="">previous</SPAN> <SPAN class="">event</SPAN>" warnings.</P><P>The time stamp in the logs looks like: <SPAN class="">2021/10/28T16:06:08.183-07:00</SPAN></P><P>props.conf looks like:</P><P>DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = true<BR />MAX_TIMESTAMP_LOOKAHEAD = 75<BR />MAX_DAYS_AGO = 36500<BR />MAX_DAYS_HENCE = 36500<BR />TIME_FORMAT = %d-%b-%y %I.%M.%S.%6Q %p<BR />SHOULD_LINEMERGE = false<BR />TRUNCATE = 500000</P><P>Anyone know what my time_format should be instead?</P> Thu, 28 Oct 2021 23:16:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572892#M10522 walsborn 2021-10-28T23:16:57Z https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572904#M10524 <P>That TIME_FORMAT isn't even close so it' s no wonder Splunk is confused.&nbsp; Try this one.</P><LI-CODE lang="markup">TIME_FORMAT = %Y/%m/%dT%H:%M:%S.%3N%:z</LI-CODE><P>See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Commontimeformatvariables" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Commontimeformatvariables </A>for the metacharacters used in TIME_FORMAT.</P> Fri, 29 Oct 2021 00:14:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572904#M10524 richgalloway 2021-10-29T00:14:22Z https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572974#M10527 <P>Yeah I don't know what I'm doing, but thanks for pointing that out.&nbsp; I appreciate the untactful assist.</P> Fri, 29 Oct 2021 14:33:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/timestamp-strftime-issues/m-p/572974#M10527 walsborn 2021-10-29T14:33:33Z