Hi All,
I have some of the messages being truncated in Splunk though all other similar messages are parsing perfectly. There is no error of Truncation in the logs. Messages are of 400 lines/event.
Props.conf(Indexer)
TRUNCATE = 0
MAX_EVENTS = 1000
Splunkd.log(Indexer) Error-
04-02-2020 14:48:57.391 +0200 WARN DateParserVerbose - Time parsed (Sun Sep 23 12:09:23 2012) is too far away from the previous event's time
(Thu Apr 2 14:48:56 2020) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive.
Context: source::/APPLICATIONS/WebSphere/Logs/xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680577
04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - A possible timestamp match (Sun Sep 23 12:09:23 2012) is outside of the acceptable time window.
If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::/APPLICATIONS/WebSphere/Logs/rxxx/xxxxEndpointCLONE2/
xxxxENDPOINT_Splunk-messages.log|host::xxx|ip_messages_sourcetype|680623
04-02-2020 14:56:40.255 +0200 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Apr 2 14:56:39 2020).
Context: source::/APPLICATIONS/WebSphere/Logs/xxx2xxx/xxxEndpointCLONE2/xxxxENDPOINT_Splunk-messages.log|host::xxxx|ip_messages_sourcetype|680623
Best Regards,