I have a sourcetype that I have been trying to break my logs apart, but I keep getting: Failed to parse timestamp: Here is an example:
[ logs ]
CHARSET=UTF-8
EVENT_BREAKER_ENABLE=true
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}
MAX_EVENTS=135000
MAX_TIMESTAMP_LOOKAHEAD=23
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TRUNCATE=50000
TZ=America/New_York
disabled=false
pulldown_type=true
The logs look like they are broken correctly, but I still keep getting the error about the timestamp.
Here is an example of the logs:
2022-04-25 11:28:17,743 ERROR [148] Method:C1222.MessageProcessor.ProcessResponseMessage -- String[] {Unexpected Exception:
Internal Error - Unable to find Endpoint by ApTitle. - ApTitle: 2.16.124.113620.1.22.0.1.1.64.5541482OldDeviceAddress: x.xx.xxx.xxxxxx.x.xx.x.x.x.xx.xxxxxxx, Internal Error - Unable to find Endpoint by ApTitle.}
Itron.Ami.Common.Logging.AmiException: Internal Error - Unable to find Endpoint by ApTitle.
2022-04-25 11:28:17,759 ERROR [148] Method:C1222.MessageProcessor.ProcessResponseMessage -- Unexpected System Exception: AmiException - Internal Error - Unable to find Endpoint by ApTitle. received - contact Application manager.
That seems correct definition except that I propose you to add
TIME_PREFIX = ^
to splunk start to look timestamp from beginning of event.
Actually length of your timestamp is 24 not 23. So you must increase that
MAX_TIMESTAMP_LOOKAHEAD at least 24, but better add it e.g. 30
r. Ismo
That seems correct definition except that I propose you to add
TIME_PREFIX = ^
to splunk start to look timestamp from beginning of event.
Actually length of your timestamp is 24 not 23. So you must increase that
MAX_TIMESTAMP_LOOKAHEAD at least 24, but better add it e.g. 30
r. Ismo