https://community.splunk.com/t5/Getting-Data-In/How-to-remove-DateParserVerbose-component-Error-messages/m-p/310653#M96024 <P>What Sourcetype are you using for the following hosts/sources?</P> <P><CODE>c:\inetpub\wwwroot\sf-api\logs\v3API.txt|host::SFUTIL1-TEST</CODE><BR /> <CODE>D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-85</CODE><BR /> <CODE>D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-83</CODE></P> <P>Can you share the props.conf for those sourcetypes?</P> <P>It looks like there could be an opportunity to improve timestamp recognition settings in props.conf ie. <CODE>TIME_PREFIX</CODE>, <CODE>TIME_FORMAT</CODE>, <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>to improve timestamping. </P> <P>There are times when ignoring these messages may be required, if the data you are ingesting is void of timestamps or has strange formatting. But let's start by ensuring your sourcetype has been configured optimally. Add data wizard on a dev machine can make this much easier as well. </P> Sat, 08 Apr 2017 14:03:06 GMT mattymo 2017-04-08T14:03:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-DateParserVerbose-component-Error-messages/m-p/310652#M96023 <P>Hi,</P> <P>We are getting below mentioned Error and Warning messages in HealthOverviewApp on our cloud instance, </P> <P><STRONG>Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Apr 5 05:16:59 2017). Context: source::c:\inetpub\wwwroot\sf-api\logs\v3API.txt|host::SFUTIL1-TEST|breakable_text|554\n 3 similar messages suppressed. First occurred at: Wed Apr 5 05:17:00 2017</STRONG></P> <P><STRONG>Accepted time (Wed Apr 5 05:21:54 2017) is suspiciously far away from the previous event's time (Thu Mar 2 00:59:24 2017), but still accepted because it was extracted by the same pattern. Context: source::D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-85|StorageCenter-production|333959</STRONG></P> <P><STRONG>Time parsed (Thu Mar 16 19:16:44 2017) is too far away from the previous event's time (Wed Apr 5 05:17:22 2017) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive. Context: source::D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-83|StorageCenter-production|332108</STRONG></P> <P>Can anyone suggest a solution for getting these errors removed?</P> Tue, 29 Sep 2020 13:32:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-DateParserVerbose-component-Error-messages/m-p/310652#M96023 arpit_1210 2020-09-29T13:32:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-remove-DateParserVerbose-component-Error-messages/m-p/310653#M96024 <P>What Sourcetype are you using for the following hosts/sources?</P> <P><CODE>c:\inetpub\wwwroot\sf-api\logs\v3API.txt|host::SFUTIL1-TEST</CODE><BR /> <CODE>D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-85</CODE><BR /> <CODE>D:\sc\logs\StorageCenterLog_20170405.log|host::storage-usw-83</CODE></P> <P>Can you share the props.conf for those sourcetypes?</P> <P>It looks like there could be an opportunity to improve timestamp recognition settings in props.conf ie. <CODE>TIME_PREFIX</CODE>, <CODE>TIME_FORMAT</CODE>, <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>to improve timestamping. </P> <P>There are times when ignoring these messages may be required, if the data you are ingesting is void of timestamps or has strange formatting. But let's start by ensuring your sourcetype has been configured optimally. Add data wizard on a dev machine can make this much easier as well. </P> Sat, 08 Apr 2017 14:03:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-remove-DateParserVerbose-component-Error-messages/m-p/310653#M96024 mattymo 2017-04-08T14:03:06Z