https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96801#M20173 <P>Hi,</P> <P>I didn't found the answer. I got splunk 5.0.1 and it worked good!<BR /> Since I've installed four apps :<BR /> -TA-cisco_asa<BR /> -Splunk_for_CiscoASA<BR /> -maps<BR /> -sideview_utils</P> <P>I restart splunk , I added data syslog with UDP port 514 and I see a yellow bar with :<BR /> "received event for unconfigured/disabled/deleted index='firewall' with source='source::udp:514' host='host::192.X.X.X' sourcetype='sourcetype::cisco:asa' (1 missing total)"</P> <P>And in my splunkd.log we can see : <BR /> "DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Jan 23 11:29:58 2013). Context: source::514|host::192.X.X.X|syslog|"</P> <P>Would I have missed a conf ?</P> <P>Thanks to help me !</P> Mon, 28 Sep 2020 13:10:09 GMT yoann 2020-09-28T13:10:09Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96801#M20173 <P>Hi,</P> <P>I didn't found the answer. I got splunk 5.0.1 and it worked good!<BR /> Since I've installed four apps :<BR /> -TA-cisco_asa<BR /> -Splunk_for_CiscoASA<BR /> -maps<BR /> -sideview_utils</P> <P>I restart splunk , I added data syslog with UDP port 514 and I see a yellow bar with :<BR /> "received event for unconfigured/disabled/deleted index='firewall' with source='source::udp:514' host='host::192.X.X.X' sourcetype='sourcetype::cisco:asa' (1 missing total)"</P> <P>And in my splunkd.log we can see : <BR /> "DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Jan 23 11:29:58 2013). Context: source::514|host::192.X.X.X|syslog|"</P> <P>Would I have missed a conf ?</P> <P>Thanks to help me !</P> Mon, 28 Sep 2020 13:10:09 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96801#M20173 yoann 2020-09-28T13:10:09Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96802#M20174 <P>The bar suggests you're trying to write events into an index 'firewall' that doesn't exist.</P> <P>Compare your inputs on all forwarders with the indexes on your indexers, they likely don't fit together.</P> Wed, 23 Jan 2013 11:17:12 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96802#M20174 martin_mueller 2013-01-23T11:17:12Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96803#M20175 <P>yeah , that's why i don't understand in /usr/local/splunk/etc/system/local/ I can see : inputs.conf README server.conf tenants.conf that's all ...</P> Wed, 23 Jan 2013 12:18:26 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96803#M20175 yoann 2013-01-23T12:18:26Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96804#M20176 <P>system/local is one of many many places configuration files can reside in. It's not enough to check just that one.</P> Wed, 23 Jan 2013 12:23:48 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96804#M20176 Ayn 2013-01-23T12:23:48Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96805#M20177 <P>I have to search indexes.conf ?</P> Wed, 23 Jan 2013 12:26:21 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96805#M20177 yoann 2013-01-23T12:26:21Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96806#M20178 <P>Nobody know ?</P> Wed, 23 Jan 2013 14:30:53 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96806#M20178 yoann 2013-01-23T14:30:53Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96807#M20179 <P>As Ayn said, there potentially are a million places that may contain configuration. To make sure you need to check each and every one.</P> Wed, 23 Jan 2013 15:57:05 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96807#M20179 martin_mueller 2013-01-23T15:57:05Z https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96808#M20180 <P>I proceeded otherwise, I used splunkforward and there is no message now</P> Wed, 23 Jan 2013 16:06:48 GMT https://community.splunk.com/t5/Getting-Data-In/received-event-and-Failed-to-parse-timestamp/m-p/96808#M20180 yoann 2013-01-23T16:06:48Z