All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Receiving "Failed to parse timestamp" errors. How to configure props.conf with correct time format for Blue Coat events?

babcolee
Path Finder
‎09-27-2016 07:12 AM

I am seeing many Failed to parse timestamp. Defaulting to timestamp of previous event.

I have configured the props.conf using the TIME_PREFIX = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} or TIME_FORMAT = +%Y-%m-%d %H:%m:%S and I even tried using a datetime.xml from the link http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem and I still get errors. I have tried using with and without LINE_BREAKER = ([\r\n]+). We are also doing inline field extraction as ?[^\s]+)\s+(?[^\s]+)\s+(?[^\s]+) during search time to try and get away from the errors.

The log file looks like this

2016-09-27 08:17:53 5035 XXX.XXX.XXX.XXX V123456 - - OBSERVED "Personals/Dating" http://www.match.com/favorites/AddEntry.aspx?uid=fHaa9bdvp8nKGVRcFqiUEQ2 200 TCP_NC_MISS POST application/json;charset=UTF-8 http das01.rtn.services.match.com 6080 /live/web/connect - - "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" XXX.XXX.XXX.XXX 358 1893 - "none" "none" 463b0440cb7614fa-0000000087ac7413-0000000057ea2b2c - -
0 Karma
Reply

maciep
Champion
‎10-01-2016 06:32 PM

Were you getting that message before modifying props.conf? Because it looks like Splunk recognizes the timestamp with the default config in my environment. It could be possible that not all of the events are breaking correctly or some events don't have a timestamp.

With respect to what you were trying, the TIME_PREFIX setting should indicate what prefixes your timestamp (not the format of your timestamp). So in this example, it might be just a ^ (beginning of the event). And your TIME_FORMAT I don't think needs a + sign and the minute should be a capital M: "%Y-%m-%d %H:%M:%S".

I'd also recommend using MAX_TIMESTAMP_LOOKAHEAD, so that Splunk doesn't find a timestamp where you don't want it to.

So maybe something like this?

TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=20
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...