Getting Data In

DEBUG AggregatorMiningProcessor - Failed to parse timestamp getting this message in splunkd.log

Hemnaath
Motivator

Hi All, I could this message into my Heavy Forwarder instance (Splunkd.log) I am not sure what is the problem why I am getting this information in my splunkd.log. We are using Splunk 6.2.1 version and its running in Linux 64 bit instance VM machine. Kindly guide me on how to fix this issue, as I am very much beginner in splunk.

splunkd.log
11-06-2016 10:58:38.108 -0500 DEBUG AggregatorMiningProcessor - Failed to parse timestamp. Defaulting to time specified by data input. - data_source="/opt/syslogs/proxy/uspxxxx.xxxx.com/bluecoat.log", data_host="uspxxxx.xxxx.com", data_sourcetype="bluecoat_syslog"
11-06-2016 10:58:38.109 -0500 DEBUG AggregatorMiningProcessor - Failed to parse timestamp. Defaulting to time specified by data input. - data_source="/opt/syslogs/proxy/uspxxxx.xxxx.com/bluecoat.log", data_host="uspxxxx.xxxx.com", data_sourcetype="bluecoat_syslog"
11-06-2016 10:58:38.109 -0500 DEBUG AggregatorMiningProcessor - Failed to parse timestamp. Defaulting to time specified by data input. - data_source="/opt/syslogs/proxy/uspxxxx.xxxx.com/bluecoat.log", data_host="uspxxxx.xxxx.com", data_sourcetype="bluecoat_syslog"
11-06-2016 10:58:38.109 -0500 DEBUG AggregatorMiningProcessor - Failed to parse timestamp. Defaulting to time specified by data input. - data_source="/opt/syslogs/proxy/uspxxxx.xxxx.com/bluecoat.log", data_host="uspxxxx.xxxx.com", data_sourcetype="bluecoat_syslog"
11-06-2016 10:58:38.109 -0500 DEBUG AggregatorMiningProcessor - Failed to parse timestamp. Defaulting to time specified by data input. - data_source="/opt/syslogs/proxy/uspxxxx.xxxx.com/bluecoat.log", data_host="uspxxxx.xxxx.com", data_sourcetype="bluecoat_syslog"

thanks in advance.

Tags (1)
0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Hey Hemnaath,

Splunk is just advising you that it cannot auto parse your timestamp in your bluecoat logs and is differing to the sourcetype set for that input.

what does your bluecoat props.conf look like?

- MattyMo

View solution in original post

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey Hemnaath,

Splunk is just advising you that it cannot auto parse your timestamp in your bluecoat logs and is differing to the sourcetype set for that input.

what does your bluecoat props.conf look like?

- MattyMo
0 Karma

Hemnaath
Motivator

thanks mmodestino for your quick response on this. I could see two props.conf file for bluecoat_syslog. One is under the app name called TA-Bluecoat and Another app name Admin-HVY-Forwarder.

Under TA-Bluecoat app I do not see any inputs.conf file defined, whereas under Admin-HVY-Forwarder could see inputs.conf defined but props.conf is not defined for bluecoat.

App name Admin-HVY-Forwarder - Props.conf
[host::Tesx*]
TZ = GMT

[host::TESX*]
TZ = GMT

[f5_web_server]
TIME_PREFIX = f5_time="
TRANSFORM-time = f5_syslog_time

Under app name TA-bluecoat, could see this configuration setup
Props.conf detail
[source::....bluecoat]
sourcetype = bluecoat

[bluecoat]
SHOULD_LINEMERGE=false
KV_MODE = none
REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat
LOOKUP-vendor_info_for_bluecoat = bluecoat_vendor_info_lookup sourcetype OUTPUT vendor,product
MAX_TIMESTAMP_LOOKAHEAD = 19
TIME_FORMAT = %Y-%m-%d %T
TRANSFORM-main = nullPound
TRANSFORMS-bluecoat_host_override = bluecoat_host_override
TZ = GMT

[bluecoat_syslog]
SHOULD_LINEMERGE=false
KV_MODE = none
REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat_syslog
LOOKUP-vendor_info_for_bluecoat = bluecoat_vendor_info_lookup sourcetype OUTPUT vendor,product
TIME_PREFIX = \w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s\w+.\w+.\w+.
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
TRANSFORM-main = nullPound
TRANSFORMS-bluecoat_host_override = bluecoat_host_override

thanks in advance.

0 Karma

mattymo
Splunk Employee
Splunk Employee

looks like ur all good! This is just a debug message telling you how splunk is setting the timestamp.

Are you running debug log level?

- MattyMo
0 Karma

Hemnaath
Motivator

thanks mmodestino, but how to figure out whether we are running the debug log level in splunk ?

0 Karma

mattymo
Splunk Employee
Splunk Employee

You likely arent...what does your inputs.conf look like for this heavy forwarder?

- MattyMo
0 Karma

Hemnaath
Motivator

Taken only particular stanza related to bluecoat_syslogs from Admin-HVY-forwarder app

/opt/splunk/etc/apps/Admin-HVY-forwarder/default

[monitor:///opt/syslogs/proxy/.../*bluecoat.log]
whitelist = .log$
sourcetype = bluecoat_syslog
index = net_proxy
host_segment = 4

0 Karma

mattymo
Splunk Employee
Splunk Employee

you set up looks fine to me...I am pretty sure these messages can be disregarded as they are simply verbose debug logs. Your timestamping is working correctly, right?

- MattyMo
0 Karma

Hemnaath
Motivator

thanks mmodestino for throwing some lights on this issue.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...