https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488033#M83536 <P>This worked for me: </P> <P>I increased the <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> in props.conf to <CODE>90</CODE>. and then I removed the subsecond from your datetime.xml file.</P> <P>The following is what worked for me. </P> <PRE><CODE>&lt;datetime&gt; &lt;!-- Request Set Number: [444888] - Scheduled Run Date: [2020-03-05 16:45:22.0] --&gt; &lt;define name="custom1" extract="year,month,day,hour,minute,second,"&gt; &lt;text&gt;&lt;![CDATA[\[(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2})]]&gt;&lt;/text&gt; &lt;/define&gt; &lt;!-- [Threat-11] 03/04 17:10:58,109, INFO --&gt; &lt;define name="custom2" extract="month,day,hour,minute,second,subsecond,"&gt; &lt;text&gt;&lt;![CDATA[\s(\d{2})\/(\d{2})\s(\d{2}):(\d{2}):(\d{2}),(\d{3})]]&gt;&lt;/text&gt; &lt;/define&gt; &lt;timePatterns&gt; &lt;use name="custom1"/&gt; &lt;use name="custom2"/&gt; &lt;/timePatterns&gt; &lt;datePatterns&gt; &lt;use name="custom1"/&gt; &lt;use name="custom2"/&gt; &lt;/datePatterns&gt; &lt;/datetime&gt; </CODE></PRE> Fri, 06 Mar 2020 02:56:49 GMT zacharychristen 2020-03-06T02:56:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488032#M83535 <P>A single source have two different types of events and two different types of timestamps.</P> <P>raw event-1: Request Set Number: [1234567] - Scheduled Run Date: [2020-03-05 16:10:37.0] -source -values [{ all values} 5 more lines of data]<BR /> raw-event-2: [Threat-123] 03/05 17:30:05,159, INFORMATION, [process name, process number]</P> <P>I tried with xml file and props.conf but is didn't fix the issue</P> <P>XML:</P> <PRE><CODE>&lt;datetime&gt; &lt;!-- Request Set Number: [444888] - Scheduled Run Date: [2020-03-05 16:45:22.0] --&gt; &lt;define name="_datetimeformat1" extract="year, month, day, hour, minute, second , subsecond"&gt; &lt;text&gt;\[(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}).(\d{1,4})\]&lt;/text&gt; &lt;/define&gt; &lt;!-- [Threat-11] 03/04 17:10:58,109, INFO --&gt; &lt;define name="_datetimeformat2" extract="month, day, hour, minute, second, subsecond"&gt; &lt;text&gt;\s(\d{2})\/(\d{2})\s(\d{2}):(\d{2}):(\d{2}),(\d{3})&lt;/text&gt; &lt;/define&gt; &lt;timePatterns&gt; &lt;use name="_datetimeformat1"/&gt; &lt;use name="_datetimeformat2"/&gt; &lt;/timePatterns&gt; &lt;datePatterns&gt; &lt;use name="_datetimeformat1"/&gt; &lt;use name="_datetimeformat2"/&gt; &lt;/datePatterns&gt; &lt;/datetime&gt; </CODE></PRE> <P>Props.conf:</P> <PRE><CODE>[my sourcetype] DATETIME_CONFIG = /etc/apps/SourcetypeName-datetime.xml SHOULD_LINEMERGE=false LINE_BREAKER = (Request\sSet\sNumber:\s\[\d+\]\s-\s\w+\W\w+\W\w+:\s\[|\[Threat-\d{1,5}\]\s) MAX_TIMESTAMP_LOOKAHEAD=60 MAX_DAYS_AGO = 45 </CODE></PRE> <P>I am still getting this error.</P> <PRE><CODE>0500 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Thu Mar 5 16:30:37 2020). Context: source:: </CODE></PRE> <P>Can some one please help me on this issue..</P> <P>Thanks in Advance.</P> Thu, 05 Mar 2020 22:39:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488032#M83535 snallam123 2020-03-05T22:39:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488033#M83536 <P>This worked for me: </P> <P>I increased the <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> in props.conf to <CODE>90</CODE>. and then I removed the subsecond from your datetime.xml file.</P> <P>The following is what worked for me. </P> <PRE><CODE>&lt;datetime&gt; &lt;!-- Request Set Number: [444888] - Scheduled Run Date: [2020-03-05 16:45:22.0] --&gt; &lt;define name="custom1" extract="year,month,day,hour,minute,second,"&gt; &lt;text&gt;&lt;![CDATA[\[(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2})]]&gt;&lt;/text&gt; &lt;/define&gt; &lt;!-- [Threat-11] 03/04 17:10:58,109, INFO --&gt; &lt;define name="custom2" extract="month,day,hour,minute,second,subsecond,"&gt; &lt;text&gt;&lt;![CDATA[\s(\d{2})\/(\d{2})\s(\d{2}):(\d{2}):(\d{2}),(\d{3})]]&gt;&lt;/text&gt; &lt;/define&gt; &lt;timePatterns&gt; &lt;use name="custom1"/&gt; &lt;use name="custom2"/&gt; &lt;/timePatterns&gt; &lt;datePatterns&gt; &lt;use name="custom1"/&gt; &lt;use name="custom2"/&gt; &lt;/datePatterns&gt; &lt;/datetime&gt; </CODE></PRE> Fri, 06 Mar 2020 02:56:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488033#M83536 zacharychristen 2020-03-06T02:56:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488034#M83537 <P>I have the same error</P> <P>DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event.</P> <P>looks like splunk is not picking anything from props.conf. MAX_TIMESTAMP_LOOKAHEAD is still 128 which is a default one.</P> <P>I did all these in master server, Do i need to update in deployment server?</P> Wed, 30 Sep 2020 04:30:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-fix-TimeStamp-issue-for-two-different-types-of-events/m-p/488034#M83537 snallam123 2020-09-30T04:30:36Z