Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- DateParserVerbose errors unable to parse timestamp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPlunkQR
Explorer
06-17-2020
05:48 AM
We are seeing tens of thousands of these events daily from Splunk trying to parse the timestamp for events in our IHS stats_log files:
06-17-2020 08:09:29.089 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (27) characters of event. Defaulting to timestamp of previous event (Wed Jun 17 07:53:07 2020).
This is our current props.conf stanza:
[ihs_stats_log]
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
TRANSFORMS-null = ihs_stats_setnull, ihs_stats_setnull_2
And each event looks something like this:
[2020 06 17 04:01:54:505],EMRPROF5,XML_FEB_S_P,SSL,indpoma4,WZ ,9RT0221A,DAL_PERSISTENT,DAL_PERSISTENT,10.200.142.36,1,0,917,39,101,0,7152,140,TAPFIGA ,0000,-
Can anyone see where we went wrong with our props.conf file and why it's not recognizing those event time stamps?
Thanks in advance for your reply.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPlunkQR
Explorer
06-22-2020
05:09 AM
We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:
[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPlunkQR
Explorer
06-22-2020
05:09 AM
We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:
[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPlunkQR
Explorer
06-17-2020
05:58 AM
I didn't see an edit button so I apologize if I just missed it, but I wanted to include our transforms.conf stanzas as well for completeness:
[ihs_stats_setnull]
REGEX = ^[-|,]*
DEST_KEY = queue
FORMAT = nullQueue
[ihs_stats_setnull_2]
REGEX = ^[-|,]{0,18}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[-|,]*
DEST_KEY = queue
FORMAT = nullQueue
We found that the log itself does not seem to break lines properly all the time as occasionally there will just be a line like these:
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
-,-,-,-,-,-,-,-,-,10.240.121.86,-,-,-,-,-,-,-,-,-,-,-
We are trying to send those to the nullQueue.
Get Updates on the Splunk Community!
The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...
The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...
Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25
Hello Splunkers,
Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...
Community Spotlight: A Splunk Expert's Journey
In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
