Getting Data In

DateParserVerbose errors unable to parse timestamp in IHS stats_log

SPlunkQR
Explorer

We are seeing tens of thousands of these events daily from Splunk trying to parse the timestamp for events in our IHS stats_log files:

06-17-2020 08:09:29.089 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (27) characters of event. Defaulting to timestamp of previous event (Wed Jun 17 07:53:07 2020).

This is our current props.conf stanza:

[ihs_stats_log]
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
TRANSFORMS-null = ihs_stats_setnull, ihs_stats_setnull_2

And each event looks something like this:

[2020 06 17 04:01:54:505],EMRPROF5,XML_FEB_S_P,SSL,indpoma4,WZ ,9RT0221A,DAL_PERSISTENT,DAL_PERSISTENT,10.200.142.36,1,0,917,39,101,0,7152,140,TAPFIGA ,0000,-

Can anyone see where we went wrong with our props.conf file and why it's not recognizing those event time stamps?

Thanks in advance for your reply.

Labels (3)
1 Solution

SPlunkQR
Explorer

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

View solution in original post

0 Karma

SPlunkQR
Explorer

We were able to get this working by updating our stanza to the following line, in case anyone else ever runs into this similar issue with their IHS log:

[ihs_stats_log]
SHOULD_LINEMERGE=true
MAX_TIMESTAMP_LOOKAHEAD=27
TIME_PREFIX=\[
TIME_FORMAT=%Y %m %d %H:%M:%S:%3N
TZ = GMT
BREAK_ONLY_BEFORE_DATE = true
LINE_BREAKER = (,-)([\r\n]+)

0 Karma

SPlunkQR
Explorer

I didn't see an edit button so I apologize if I just missed it, but I wanted to include our transforms.conf stanzas as well for completeness:

[ihs_stats_setnull]
REGEX = ^[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

[ihs_stats_setnull_2]
REGEX = ^[-|,]{0,18}\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[-|,]*
DEST_KEY = queue
FORMAT = nullQueue

We found that the log itself does not seem to break lines properly all the time as occasionally there will just be a line like these:
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-
-,-,-,-,-,-,-,-,-,10.240.121.86,-,-,-,-,-,-,-,-,-,-,-

We are trying to send those to the nullQueue.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...