https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508912#M86567 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>! The question is about a field extraction for a specific sourcetype, not the root cause of the event. I have yet to dig into it - but looks like these "<SPAN class="t">Failed</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">parse</SPAN> <SPAN class="t">timestamp</SPAN> <SPAN class="t">in</SPAN> <SPAN class="t">first</SPAN> <SPAN class="t h"><SPAN class="t">MAX_TIMESTAMP</SPAN>_<SPAN class="t">LOOKAHEAD</SPAN></SPAN>" errors are happening in several places (hosts, sourcetypes) and will have to be dealt with separately and individually. For now, I just need a "best practice" on how to get those fields out of the "Context" portion of those errors. Thanks again.</P> Mon, 13 Jul 2020 20:44:45 GMT mitag 2020-07-13T20:44:45Z https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508884#M86563 <P>in splunkd events on indexers such as this:</P><P>&nbsp;</P><LI-CODE lang="markup">07-13-2020 11:42:03.337 -0700 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Mon Jul 13 11:42:02 2020). Context: source=/Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/lux.log|host=mac_mini04|symantec:silo:NFM=LiveUpdate:lux|233394</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">host = splunk_indexer_01 | source = /opt/splunk/var/log/splunk/splunkd.log | sourcetype = splunkd</LI-CODE><P>&nbsp;</P><P>... it does not look like fields in the "Context: " portion of the events are extracted:</P><P>&nbsp;</P><LI-CODE lang="markup">Context: source=/Library/Application Support/Symantec/Silo/NFM/LiveUpdate/Logs/lux.log|host=bpa-mit-mini04|symantec:silo:NFM=LiveUpdate:lux|233394</LI-CODE><P>&nbsp;</P><P>Do I need to manually extract them via rex? If so - has anyone done this and could perhaps share a template rex command for this event type? If not, what's the best practice?</P><P>Thank you!</P><P>P.S. Something like this?</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd "Context: " | rex field=event_message "Context\:\s+(?P&lt;Context&gt;source\=(?P&lt;context_source&gt;\S+?)?[\||$]host\=(?P&lt;context_host&gt;\S+?)(?:\|(?P&lt;context_tail&gt;.*))$)"</LI-CODE><P>&nbsp;</P> Mon, 13 Jul 2020 20:47:07 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508884#M86563 mitag 2020-07-13T20:47:07Z https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508895#M86566 <P>Basically this error means that splunk couldn’t recognize valid time stamp on your event within 128 character from beginning of event.&nbsp;<BR />Can you send sample events and your inputs, props and possible transformations.conf files?</P><P>r. Ismo</P> Mon, 13 Jul 2020 19:24:17 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508895#M86566 isoutamo 2020-07-13T19:24:17Z https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508912#M86567 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>! The question is about a field extraction for a specific sourcetype, not the root cause of the event. I have yet to dig into it - but looks like these "<SPAN class="t">Failed</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">parse</SPAN> <SPAN class="t">timestamp</SPAN> <SPAN class="t">in</SPAN> <SPAN class="t">first</SPAN> <SPAN class="t h"><SPAN class="t">MAX_TIMESTAMP</SPAN>_<SPAN class="t">LOOKAHEAD</SPAN></SPAN>" errors are happening in several places (hosts, sourcetypes) and will have to be dealt with separately and individually. For now, I just need a "best practice" on how to get those fields out of the "Context" portion of those errors. Thanks again.</P> Mon, 13 Jul 2020 20:44:45 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508912#M86567 mitag 2020-07-13T20:44:45Z https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508928#M86571 <P>Sorry that ;-( I should read the whole message and think little bit more before answer.</P><P>you could try the next one</P><P>&nbsp;<SPAN>&nbsp;</SPAN></P><PRE>...<BR />| rex "Context:\s+(?&lt;context&gt;.*)"<BR />| rex field=context max_match=0 "source=(?&lt;context_source&gt;[^\|]+)|host=(?&lt;context_host&gt;[^\|]+)"</PRE> Mon, 13 Jul 2020 22:11:31 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508928#M86571 isoutamo 2020-07-13T22:11:31Z https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508939#M86572 <P>Thank you! Much cleaner than mine.</P> Mon, 13 Jul 2020 22:32:00 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-fields-from-quot-event-message-quot-quot-context-quot/m-p/508939#M86572 mitag 2020-07-13T22:32:00Z