https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105528#M22236 <P>Who knows! I didn't have time to test it. Sometimes in Splunk if you try to be too specific you can end up with conflicting configurations that try to do things in different orders. There are probably a few wonky bits <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Feel free to click the tick next to my answer to accept if its all working now!</P> Mon, 23 Jul 2012 08:28:51 GMT Drainy 2012-07-23T08:28:51Z https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105525#M22233 <P>I have a problem with this file:</P> <PRE><CODE>----------------------------------- CLIENT 100 GUID 4F281780E49E1DC0E10080000A1E8680 INPUT_DATA SAP_SYSTEM=LD1;SAP_CLIENT=100;TITLE=Visning af tatusrecord;Function code that PAI triggered=BACK;WE02.SAPLEDI5.0100.SAPLEDI5.0100.EDI_INTDS.DOCNUM[0]()=0000000000049301; OUTPUT_DATA SAP_SYSTEM=LD1;SAP_CLIENT=100; CREATED_AT 20120201123559 CREATED_BY SZT CHANGED_AT 20120201123559 CHANGED_BY SZT TIMESTAMP 20120201093938 TRX_NAME WE02 USERNAME SZT CLIENT_PC 172.28.240.189 TECHNOLOGY 10 ---------------------------------------- </CODE></PRE> <P>I use the following configuration:</P> <PRE><CODE>BREAK_ONLY_BEFORE=^CLIENT\s+\d{3} NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true MAX_TIMESTAMP_LOOKAHEAD=14 TIME_FORMAT=%Y%m%d%H:%M:%S TIME_PREFIX=TIMESTAMP\s+ </CODE></PRE> <P>But it is like Splunk reads to much into the timestamp even though I use “MAX_TIMESTAMP_LOOKAHEAD=14”</P> <P>Splunk reports this error.<BR /> -Could not use strptime to parse timestamp from "20120201093938\nTRX_NAME WE02\nUSERNAME SZT\n<BR /> CLIENT_PC" </P> <P>Hope some one can help me</P> Mon, 28 Sep 2020 12:07:47 GMT https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105525#M22233 kennmunklarsen 2020-09-28T12:07:47Z https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105526#M22234 <P>Splunk is quite clever, sometimes its better to let it try and handle as much as possible, using the data above the following props performs the multiline extraction and timestamping correctly;</P> <PRE><CODE>BREAK_ONLY_BEFORE=CLIENT\s+ NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_PREFIX=TIMESTAMP </CODE></PRE> Mon, 23 Jul 2012 08:11:30 GMT https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105526#M22234 Drainy 2012-07-23T08:11:30Z https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105527#M22235 <P>It works!, but why did the other configuration not work?</P> Mon, 23 Jul 2012 08:15:25 GMT https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105527#M22235 kennmunklarsen 2012-07-23T08:15:25Z https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105528#M22236 <P>Who knows! I didn't have time to test it. Sometimes in Splunk if you try to be too specific you can end up with conflicting configurations that try to do things in different orders. There are probably a few wonky bits <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Feel free to click the tick next to my answer to accept if its all working now!</P> Mon, 23 Jul 2012 08:28:51 GMT https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105528#M22236 Drainy 2012-07-23T08:28:51Z https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105529#M22237 <P>Your TIME_FORMAT specifies colons; the time stamp I can see from your event sample doesn't have any. Try %Y%m%d%H%M%S.</P> Mon, 23 Jul 2012 12:37:54 GMT https://community.splunk.com/t5/Getting-Data-In/Can-not-parse-timestamp/m-p/105529#M22237 sowings 2012-07-23T12:37:54Z