https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146487#M29846 <P>are you manually importing Webtrends SDC log files into SPLUNK? If so, try using the SPLUNK forwarder.</P> Thu, 17 Mar 2016 16:48:46 GMT spammenot66 2016-03-17T16:48:46Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146479#M29838 <P>Hi All,</P> <P>All of a sudden, Timestamp parsing doesn't work in splunk when I index a file manually into the system. It ignores the logfile time and takes the current system time.<BR /> It was working well and I don't know suddenly what caused this problem, It's not even able to recognize the earlier indexed files.<BR /> It just gives the error "Timestamp parsing failed"..</P> <P>Same case for event breaking too, it doesn't work either...</P> <P>Can you please post a resolution to this ?</P> Tue, 29 Apr 2014 18:46:11 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146479#M29838 xbbj3nj 2014-04-29T18:46:11Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146480#M29839 <P>sample logs and props.conf setting please</P> Tue, 29 Apr 2014 19:26:12 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146480#M29839 linu1988 2014-04-29T19:26:12Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146481#M29840 <P>Below is the props.conf under /opt/splunk/etc/system/default</P> <P>[default]<BR /> CHARSET = UTF-8<BR /> LINE_BREAKER_LOOKBEHIND = 100<BR /> TRUNCATE = 10000<BR /> DATETIME_CONFIG = /etc/datetime.xml<BR /> ANNOTATE_PUNCT = True<BR /> HEADER_MODE =<BR /> MAX_DAYS_HENCE=2<BR /> MAX_DAYS_AGO=2000<BR /> MAX_DIFF_SECS_AGO=3600<BR /> MAX_DIFF_SECS_HENCE=604800<BR /> MAX_TIMESTAMP_LOOKAHEAD = 128<BR /> SHOULD_LINEMERGE = True<BR /> BREAK_ONLY_BEFORE = <BR /> BREAK_ONLY_BEFORE_DATE = True<BR /> MAX_EVENTS = 256<BR /> MUST_BREAK_AFTER = <BR /> MUST_NOT_BREAK_AFTER = <BR /> MUST_NOT_BREAK_BEFORE = <BR /> TRANSFORMS = <BR /> SEGMENTATION = indexing<BR /> SEGMENTATION-all = full<BR /> SEGMENTATION-inner = inner</P> Mon, 28 Sep 2020 16:29:48 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146481#M29840 xbbj3nj 2020-09-28T16:29:48Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146482#M29841 <P>SEGMENTATION-outer = outer<BR /> SEGMENTATION-raw = none<BR /> SEGMENTATION-standard = standard<BR /> LEARN_SOURCETYPE = true<BR /> maxDist = 100<BR /> detect_trailing_nulls = false</P> Mon, 28 Sep 2020 16:29:51 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146482#M29841 xbbj3nj 2020-09-28T16:29:51Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146483#M29842 <P>sample log file :</P> <H1>Remark: DCS-p</H1> <H1>Software: WebTrends SmartSource Data Collector</H1> <H1>Version: 1.0</H1> <H1>Date: 2014-04-22 04:47:49</H1> <H1>Fields: date time c-ip cs-username cs-host cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-version cs(User-Agent) cs(Cookie) cs(Referer) dcs-id</H1> <P>2014-04-25 23:31:19 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx <BR /> 2014-04-25 23:31:31 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx <BR /> 2014-04-25 23:31:37 172.24.32.95 xbbjnzp fma.abc.net GET /fma/futures/default.aspx <BR /> 2014-04-25 23:31:53 172.24.32.95 xbbjnzp fma.abc.net GET /fma/trades/default.aspx</P> Tue, 29 Apr 2014 19:40:44 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146483#M29842 xbbj3nj 2014-04-29T19:40:44Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146484#M29843 <P>where exactly the log starts and ends? the config doesn't look right where these may parameters are mentioned!</P> <P>simple </P> <P><CODE>SHOULD_LINEMERGE=TRUE<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S<BR /> BREAK_ONLY_BEFORE_DATE=TRUE</CODE></P> <P>should see all the log times.</P> Tue, 29 Apr 2014 20:06:18 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146484#M29843 linu1988 2014-04-29T20:06:18Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146485#M29844 <P>When you import a file into Splunk, you need to specify a sourcetype and configure sourcetype to correctly identify event breaking and timestamp. Till than if the data format is not in Splunk Standard (start with timestamp) it will show that error in preview screen.</P> Tue, 29 Apr 2014 20:08:53 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146485#M29844 somesoni2 2014-04-29T20:08:53Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146486#M29845 <P>So the actual log file looks more like this</P> <PRE><CODE>#Remark: DCS-p #Software: WebTrends SmartSource Data Collector #Version: 1.0 #Date: 2014-04-22 04:47:49 #Fields: date time c-ip cs-username cs-host cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-version cs(User-Agent) cs(Cookie) cs(Referer) dcs-id 2014-04-25 23:31:19 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx 2014-04-25 23:31:31 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx 2014-04-25 23:31:37 172.24.32.95 xbbjnzp fma.abc.net GET /fma/futures/default.aspx 2014-04-25 23:31:53 172.24.32.95 xbbjnzp fma.abc.net GET /fma/trades/default.aspx </CODE></PRE> <P>Therefore, I believe that you will want the following stanza in a local <CODE>props.conf</CODE> - perhaps <CODE>.../etc/system/local/props.conf</CODE></P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE = false TIME_FORMAT=%Y-%m-%d %H:%M:%S PREAMBLE_REGEX = \# </CODE></PRE> <P>The last line tells Splunk to ignore lines in the log file that begin with <CODE>#</CODE>. If you want to index these lines, just leave it off.</P> <P>Make sure you specify the proper sourcetype for your inputs. If this problem is affecting multiple sourcetypes, add (or edit) a stanza in <CODE>props.conf</CODE> for each sourcetype.</P> <P>I suspect that Splunk has begun to try to process the header, and that is confusing things.</P> Sat, 03 May 2014 10:03:08 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146486#M29845 lguinn2 2014-05-03T10:03:08Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146487#M29846 <P>are you manually importing Webtrends SDC log files into SPLUNK? If so, try using the SPLUNK forwarder.</P> Thu, 17 Mar 2016 16:48:46 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-parsing-Failing-pls-help/m-p/146487#M29846 spammenot66 2016-03-17T16:48:46Z