Solved: How to find events with Timestamp issue

ma_anand1984 · ‎09-12-2012

I'm seeing the below error in splunkd.log of an indexer

WARN DateParserVerbose - Failed to parse timestamp.

The error does give me source file, host sourcetype. But it didnt give me the event for which the timestamp fails.

Only a fraction of the logs are having issues so im not able to find them.

Is there any way to better solve this?

adamw · ‎09-12-2012

If you're on 4.3, by far the easiest way to accomplish this is to use the data preview wizard using a sample log file from the host and sourcetype indicated in the log file.

It will assist you in generating the proper props.conf for that input.

View solution in original post

adamw · ‎09-12-2012

If you're on 4.3, by far the easiest way to accomplish this is to use the data preview wizard using a sample log file from the host and sourcetype indicated in the log file.

It will assist you in generating the proper props.conf for that input.

How to find events with Timestamp issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation