https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119048#M24728 <P>Thank you for your answer.. I'm assuming this is done on the Heavy Forwarder, correct? I will give it a shot on the Heavy Forwarder and let you know..</P> Tue, 29 Oct 2013 14:40:59 GMT richnavis 2013-10-29T14:40:59Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119045#M24725 <P>I have an App that is indexing data on a Heavy forwarder. The text file has a mix of headers and data, the data containing Timnestamps. I'd like to EXCLUDE the Headers Before the Heavy Forwarder reads it and throws timestamp errors. Is there anyway to do this? Here's what the data looks like.<BR /><BR /> statusdesclong time probeid responsetime status statusdesc <BR /><BR /> -------------- ---- ------- ------------ ------ ---------- <BR /><BR /> www-ber 10/28/2013 17:24 34 874 up OK<BR /><BR /> www-ber 10/28/2013 17:23 64 1763 up OK </P> Tue, 29 Oct 2013 00:34:28 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119045#M24725 richnavis 2013-10-29T00:34:28Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119046#M24726 <P>props.conf</P> <PRE><CODE>[sourcetype_name_here] TIME_PREFIX = \s TIME_FORMAT = %m/%d/%Y %H:%M SHOULD_LINEMERGE = false TRANSFORMS-0_null_queue = nullq_header, nullq_dash REPORT-0_field_kv = field_kv </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[nullq_header] REGEX = statusdesclong DEST_KEY = queue FORMAT = nullQueue [nullq_dash] REGEX = ^\-\-\-\- DEST_KEY = queue FORMAT = nullQueue [field_kv] DELIMS = "\t" FIELDS = statusdesclong, time, probeid, responsetime, status, statusdesc </CODE></PRE> Tue, 29 Oct 2013 00:49:10 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119046#M24726 ShaneNewman 2013-10-29T00:49:10Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119047#M24727 <P>Did that help?</P> Tue, 29 Oct 2013 12:37:02 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119047#M24727 ShaneNewman 2013-10-29T12:37:02Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119048#M24728 <P>Thank you for your answer.. I'm assuming this is done on the Heavy Forwarder, correct? I will give it a shot on the Heavy Forwarder and let you know..</P> Tue, 29 Oct 2013 14:40:59 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119048#M24728 richnavis 2013-10-29T14:40:59Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119049#M24729 <P>That is correct.</P> Tue, 29 Oct 2013 14:44:49 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119049#M24729 ShaneNewman 2013-10-29T14:44:49Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119050#M24730 <P>Well.. it DID eliminate the headers from my data, thank you! However, I still do the errors in splunkd logs. It also seems that this may be delaying indexing of the data by 5-10 minutes. Here are the errors I see. Are there anyway to avoid these?<BR /><BR /> DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event</P> Tue, 29 Oct 2013 15:30:36 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119050#M24730 richnavis 2013-10-29T15:30:36Z https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119051#M24731 <P>Ah, TIME_PREFIX = \t</P> Tue, 29 Oct 2013 15:32:50 GMT https://community.splunk.com/t5/Getting-Data-In/Failed-to-parse-timestamp-on-Heavy-Forwarder/m-p/119051#M24731 ShaneNewman 2013-10-29T15:32:50Z