Splunk appeasrs to be failing to index the server.log for our ATG Joss instances. On the Splunk indexer the following warning can be found in the splunkd.log
I am new to using splunk, any help in resolving this would be great.
07-19-2010 08:35:10.835 WARN DateParserVerbose - Failed to parse timestamp for event. Context="source::D:\Deployments\Jboss\jboss-as\server\slot1\log\server.log|host::UAT80ATGCAD01V|JBOSS|remoteport::1071" Text=" at atg.servlet.pipeline.PipelineableServletImpl.passRequest(PipelineableServletImpl.java:116) at a..."
I have been looking further into this problem. I am seeing many errors like below in the splunkd.log
07-17-2010 03:20:05.782 ERROR TcpInputProc - Error encountered for connection from host=uat80atgcad01v.comops.uk.tesco.org, ip=172.25.41.100. Winsock error 10054
Please "edit" you question and add a sample event to it. It sounds like some part of your indexing logic is incorrect (timestamp recognition, or event breaking) but there is no way to provide any specific help without a specific example.
Given the Text of this event, this means that the timestamper tried to find a timestamp in a line somewhere deep into a logged stack trace. It could have been caused by the forwarder disconnecting from the indexer. Is any data indexed from this source?