<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Time/Date Stamp errors in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403668#M71707</link>
    <description>&lt;P&gt;Hi edwardrose,&lt;BR /&gt;
I don't understand if "no data in the log file" means that something should be in the log file but there isn't or that there isn't nothing to log so it's correct to have an empty file.&lt;BR /&gt;
In the first case, you should understand why your application doesn't log in the file; in the second case it's correct not indexing.&lt;BR /&gt;
The most important thing is why you have an error when logs are present.&lt;BR /&gt;
Could you share some sample of your logs?&lt;BR /&gt;
Having a sample it's possible to set a correct props.conf to index your logs.&lt;BR /&gt;
Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
    <pubDate>Tue, 23 Jul 2019 15:03:44 GMT</pubDate>
    <dc:creator>gcusello</dc:creator>
    <dc:date>2019-07-23T15:03:44Z</dc:date>
    <item>
      <title>Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403663#M71702</link>
      <description>&lt;P&gt;Hello &lt;/P&gt;

&lt;P&gt;I have empty log files that get monitored and I keep getting the following warnings:&lt;/P&gt;

&lt;P&gt;Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event&lt;/P&gt;

&lt;P&gt;So some systems the log files aren't empty and on others the files are empty.  I am only getting the warning on systems with empty log files which to makes no sense.  Are there any ideas?&lt;/P&gt;

&lt;P&gt;thanks&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 01:25:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403663#M71702</guid>
      <dc:creator>edwardrose</dc:creator>
      <dc:date>2020-09-30T01:25:53Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403664#M71703</link>
      <description>&lt;P&gt;Hi edwardrose,&lt;BR /&gt;
at first, what do you mean with "empty log files", it's correct that there isn't any log (and you want to alert when there isn't any log) or logs are present and you don't see them?&lt;/P&gt;

&lt;P&gt;Then, could you share any sample of your logs?&lt;/P&gt;

&lt;P&gt;Anyway, this message means that Splunk cannot find or recognize a timestamp, so probably you have to define a correct timeformat and time prefix.&lt;/P&gt;

&lt;P&gt;Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jul 2019 07:29:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403664#M71703</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2019-07-23T07:29:01Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403665#M71704</link>
      <description>&lt;P&gt;Hi @edwardrose ,&lt;/P&gt;

&lt;P&gt;I think you should use a TA for the type of log you're ingesting in order to get the timestamp and log content in right format.&lt;/P&gt;

&lt;P&gt;Are you using a TA already ?&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Snigdha&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jul 2019 11:48:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403665#M71704</guid>
      <dc:creator>snigdhasaxena</dc:creator>
      <dc:date>2019-07-23T11:48:49Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403666#M71705</link>
      <description>&lt;P&gt;Hello Giuseppe,&lt;/P&gt;

&lt;P&gt;When I say empty, I mean that the file is created but there is no data in the log file.  So there is nothing for the props.conf to compare a timestamp with, which is why I am wondering why I am getting the error.&lt;/P&gt;

&lt;P&gt;Thanks&lt;BR /&gt;
ed&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jul 2019 14:39:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403666#M71705</guid>
      <dc:creator>edwardrose</dc:creator>
      <dc:date>2019-07-23T14:39:14Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403667#M71706</link>
      <description>&lt;P&gt;Hello Snigdha,&lt;/P&gt;

&lt;P&gt;I am using a TA to collect the data and again like I explained to Giuseppe, a log file is created but the file is empty.  So I am just wondering why and how Splunk is reading a log file that has zero data in it and generating a warning about timestamps.&lt;/P&gt;

&lt;P&gt;thanks&lt;BR /&gt;
ed&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jul 2019 14:45:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403667#M71706</guid>
      <dc:creator>edwardrose</dc:creator>
      <dc:date>2019-07-23T14:45:57Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403668#M71707</link>
      <description>&lt;P&gt;Hi edwardrose,&lt;BR /&gt;
I don't understand if "no data in the log file" means that something should be in the log file but there isn't or that there isn't nothing to log so it's correct to have an empty file.&lt;BR /&gt;
In the first case, you should understand why your application doesn't log in the file; in the second case it's correct not indexing.&lt;BR /&gt;
The most important thing is why you have an error when logs are present.&lt;BR /&gt;
Could you share some sample of your logs?&lt;BR /&gt;
Having a sample it's possible to set a correct props.conf to index your logs.&lt;BR /&gt;
Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jul 2019 15:03:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403668#M71707</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2019-07-23T15:03:44Z</dc:date>
    </item>
    <item>
      <title>Re: Time/Date Stamp errors</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403669#M71708</link>
      <description>&lt;P&gt;Your log files are not truly empty; they must be receiving some whitespace or unprintable control characters.  Let's assume the former and do something like this:&lt;/P&gt;

&lt;P&gt;In props.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::/your/source/here]
TRANSFORMS-drop_empty_lines = drop_empty_lines
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In transforms.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[drop_empty_lines]
REGEX = ^\s+$
DEST_KEY=queue
FORMAT=nullQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;So instead of parsing these lines and not finding a timestamp, these are thrown away.&lt;/P&gt;</description>
      <pubDate>Sat, 27 Jul 2019 19:28:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-Date-Stamp-errors/m-p/403669#M71708</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-07-27T19:28:50Z</dc:date>
    </item>
  </channel>
</rss>

