https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606727#M13436 <P>Thank you for the response, but it does not provide the information I need to answer the question.</P><P>What settings are in props.conf for the sourcetype other than the 3 mentioned?&nbsp;</P><P>Does the sourcetype name in props.conf match the sourcetype name in inputs.conf?</P><P>Do other props.conf files have the same sourcetype in them?&nbsp; Use the <FONT face="courier new,courier">splunk btool</FONT> command to see the exact settings Splunk is using for the sourcetype.</P><P>Is the props.conf file installed on all indexers and heavy forwarders?&nbsp; Were those indexers and HFs restarted after receiving the props.conf file?</P> Sat, 23 Jul 2022 12:34:34 GMT richgalloway 2022-07-23T12:34:34Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606694#M13432 <P>Hello,&nbsp;</P> <P>I have onboarded the data into Splunk which we have multiple timestamps in the event in different formats. I believe my props settings are correct however it's giving an error in Splunkd.log. Please Advise</P> <P>Error Details :</P> <P>DateParserVerbose [99999 merging_0] - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (16) characters of event. Defaulting to timestamp of previous event</P> <P>Event Details:&nbsp;</P> <P>Jul 10 14:19:08 abcdefgh81 dnsmask Jul 10 14:19:08 dnsmask[1520]: cached abcdefg43.wellness.com is 10.220.200.72</P> <P>Jul 10 14:19:08 abcdefgh81 dnsmask -- [10/July/2022:18:10:10 -9900] dnsmask[1520]: cached abcdefg43.wellness.com is 10.220.200.72</P> <P>Here are my props settings</P> <P>TIME_PREFIX=^</P> <P>TIME_FORMAT=%b %d %H:%M:%S</P> <P>MAX_TIMESTAMP_LOOKAHEAD = 16</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 25 Jul 2022 21:40:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606694#M13432 iamsplunker 2022-07-25T21:40:46Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606696#M13433 <P>Are those *all* of the props for that sourcetype?&nbsp; Are they in the *right* sourcetype for that data?&nbsp; Have you used btool (<FONT face="courier new,courier">splunk btool --debug props list <EM>&lt;&lt;sourcetype&gt;&gt;</EM></FONT>) to ensure the settings aren't being overridden by another app?</P><P>On which instance are the props defined?&nbsp; They should be on all indexers and heavy forwarders (if any).&nbsp; Did you restart the instances after loading the props?</P> Fri, 22 Jul 2022 21:05:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606696#M13433 richgalloway 2022-07-22T21:05:04Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606699#M13434 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; Yes , The sourcetype is created exclusively for this data/app. The interesting part is yes we have multiple time formats in same source coming from lot of servers.</P><P>My understanding is If we have multiple time formats in the event it should look at beginning of the event as I mentioned in TIME_PREFIX&nbsp;</P> Fri, 22 Jul 2022 21:16:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606699#M13434 iamsplunker 2022-07-22T21:16:09Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606727#M13436 <P>Thank you for the response, but it does not provide the information I need to answer the question.</P><P>What settings are in props.conf for the sourcetype other than the 3 mentioned?&nbsp;</P><P>Does the sourcetype name in props.conf match the sourcetype name in inputs.conf?</P><P>Do other props.conf files have the same sourcetype in them?&nbsp; Use the <FONT face="courier new,courier">splunk btool</FONT> command to see the exact settings Splunk is using for the sourcetype.</P><P>Is the props.conf file installed on all indexers and heavy forwarders?&nbsp; Were those indexers and HFs restarted after receiving the props.conf file?</P> Sat, 23 Jul 2022 12:34:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606727#M13436 richgalloway 2022-07-23T12:34:34Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606935#M13443 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; Thank you for your response .Other settings are</P><P>CHARSET = UTF-8</P><P>LINE_BREAKER =&nbsp;([\r\n]+)</P><P>NO_BINARY_CHECK = True</P><P>SHOULD_LINEMERGE = False</P><P>TZ = UTC</P><P>-- Yes props.conf sourcetype match with inputs.conf sourcetype</P><P>There is only 1 sourcetype created for this . This is Splunk Cloud Env</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P> Mon, 25 Jul 2022 19:40:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606935#M13443 iamsplunker 2022-07-25T19:40:52Z https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606943#M13444 <P>Thanks for the info.&nbsp; Those props look fine.&nbsp; Are they installed on indexers as well as HFs?</P> Mon, 25 Jul 2022 19:51:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-did-Splunk-fail-to-parse-the-timestamp-in-first-MAX/m-p/606943#M13444 richgalloway 2022-07-25T19:51:58Z