Need assistance in writing props: Why is search failing to parse timestamp?

Ash1 — Wed, 19 Oct 2022 15:45:39 GMT

1. I have below logs:
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server.
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call)
server6z: INFO could not find the logs under this path(apimanager call), unable to find the logs from this server.
server6z: INFO could not find the logs under this path(apimanager call)

i have mentioned in my props
should_linemerge=false
line_breaker=([\r\n]+)

but i am seeing error like failed to parse timestamp
defaulting to file modtime.
How to resolve this issue.

2. I am getting the same issue as above for this type of logs as well

Sample logs:
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/path/svgt/app/loadscript/file.com: coloumn12: /path/svgt/app/loadscript/file.com: not able to view file
/applicatins/dir/wrd-start/loadscript/filedata.com: line24: /applicatins/dir/wrd start/loadscript/filedata.com: not able to read the files

Re: Need assistance in writing props- failed to parse timestamp?

richgalloway — Wed, 19 Oct 2022 13:10:35 GMT

The message "failed to parse timestamp" means Splunk could not find a timestamp in your logs that matches what it expected. Perhaps, and this appears to the case here, there is no timestamp at all.

To fix the problem, make sure the props.conf settings correctly tell Splunk where to find the timestamp in each event and how it is formatted. Specifically, include these settings:

TIME_PREFIX TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD

For logs that have no timestamp at all, then let Splunk know that with this props.conf setting, which uses the current time as the event time.

DATETIME_CONFIG = CURRENT

Re: Need assistance in writing props- failed to parse timestamp?

Ash1 — Thu, 20 Oct 2022 01:12:06 GMT

Thank you,

DATETIME_CONFIG = CURRENT

worked.

topic Re: Need assistance in writing props- failed to parse timestamp? in Splunk Enterprise

Need assistance in writing props: Why is search failing to parse timestamp?

Re: Need assistance in writing props- failed to parse timestamp?

Re: Need assistance in writing props- failed to parse timestamp?