Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DateParserVerbose errors unable to parse timestamp in IHS stats_log

SPlunkQR
Explorer
‎06-17-2020 05:48 AM

We are seeing tens of thousands of these events daily from Splunk trying to parse the timestamp for events in our IHS stats_log files:

06-17-2020 08:09:29.089 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (27) characters of event. Defaulting to timestamp of previous event (Wed Jun 17 07:53:07 2020).

This is our current props.conf stanza:

[ihs_stats_log]
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
TRANSFORMS-null = ihs_stats_setnull, ihs_stats_setnull_2

And each event looks something like this:

[2020 06 17 04:01:54:505],EMRPROF5,XML_FEB_S_P,SSL,indpoma4,WZ ,9RT0221A,DAL_PERSISTENT,DAL_PERSISTENT,10.200.142.36,1,0,917,39,101,0,7152,140,TAPFIGA ,0000,-

Can anyone see where we went wrong with our props.conf file and why it's not recognizing those event time stamps?

Thanks in advance for your reply.

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

0 Karma
Reply
Solved! Jump to solution

SPlunkQR
Explorer
‎06-17-2020 05:58 AM

I didn't see an edit button so I apologize if I just missed it, but I wanted to include our transforms.conf stanzas as well for completeness:

[ihs_stats_setnull]
REGEX = ^[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

[ihs_stats_setnull_2]
REGEX = ^[-|,]{0,18}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

We found that the log itself does not seem to break lines properly all the time as occasionally there will just be a line like these:
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
-,-,-,-,-,-,-,-,-,10.240.121.86,-,-,-,-,-,-,-,-,-,-,-

We are trying to send those to the nullQueue.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...