Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DateParserVerbose errors unable to parse timestamp in IHS stats_log

SPlunkQR
Explorer
‎06-17-2020 05:48 AM

We are seeing tens of thousands of these events daily from Splunk trying to parse the timestamp for events in our IHS stats_log files:

06-17-2020 08:09:29.089 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (27) characters of event. Defaulting to timestamp of previous event (Wed Jun 17 07:53:07 2020).

This is our current props.conf stanza:

[ihs_stats_log]
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
TRANSFORMS-null = ihs_stats_setnull, ihs_stats_setnull_2

And each event looks something like this:

[2020 06 17 04:01:54:505],EMRPROF5,XML_FEB_S_P,SSL,indpoma4,WZ ,9RT0221A,DAL_PERSISTENT,DAL_PERSISTENT,10.200.142.36,1,0,917,39,101,0,7152,140,TAPFIGA ,0000,-

Can anyone see where we went wrong with our props.conf file and why it's not recognizing those event time stamps?

Thanks in advance for your reply.

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

SPlunkQR
Explorer
‎06-22-2020 05:09 AM

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

0 Karma
Reply
Solved! Jump to solution

SPlunkQR
Explorer
‎06-17-2020 05:58 AM

I didn't see an edit button so I apologize if I just missed it, but I wanted to include our transforms.conf stanzas as well for completeness:

[ihs_stats_setnull]
REGEX = ^[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

[ihs_stats_setnull_2]
REGEX = ^[-|,]{0,18}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

We found that the log itself does not seem to break lines properly all the time as occasionally there will just be a line like these:
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
-,-,-,-,-,-,-,-,-,10.240.121.86,-,-,-,-,-,-,-,-,-,-,-

We are trying to send those to the nullQueue.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...