All Apps and Add-ons

Receiving "Failed to parse timestamp" errors. How to configure props.conf with correct time format for Blue Coat events?

Path Finder

I am seeing many Failed to parse timestamp. Defaulting to timestamp of previous event.

I have configured the props.conf using the TIME_PREFIX = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} or TIME_FORMAT = +%Y-%m-%d %H:%m:%S and I even tried using a datetime.xml from the link and I still get errors. I have tried using with and without LINE_BREAKER = ([\r\n]+). We are also doing inline field extraction as ?[^\s]+)\s+(?[^\s]+)\s+(?[^\s]+) during search time to try and get away from the errors.

The log file looks like this

2016-09-27 08:17:53 5035 XXX.XXX.XXX.XXX V123456 - - OBSERVED "Personals/Dating" 200 TCP_NC_MISS POST application/json;charset=UTF-8 http 6080 /live/web/connect - - "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" XXX.XXX.XXX.XXX 358 1893 - "none" "none" 463b0440cb7614fa-0000000087ac7413-0000000057ea2b2c - -
0 Karma


Were you getting that message before modifying props.conf? Because it looks like Splunk recognizes the timestamp with the default config in my environment. It could be possible that not all of the events are breaking correctly or some events don't have a timestamp.

With respect to what you were trying, the TIME_PREFIX setting should indicate what prefixes your timestamp (not the format of your timestamp). So in this example, it might be just a ^ (beginning of the event). And your TIME_FORMAT I don't think needs a + sign and the minute should be a capital M: "%Y-%m-%d %H:%M:%S".

I'd also recommend using MAX_TIMESTAMP_LOOKAHEAD, so that Splunk doesn't find a timestamp where you don't want it to.

So maybe something like this?

TIME_FORMAT=%Y-%m-%d %H:%M:%S
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!