I'm trying to read in a dhcpd.leases file, but some of my entries are getting the wrong timestamp, and I'm not sure how to debug it.
When I first load the file, the parser recognizes the correct time stamp:
But then, when reviewing the events, a lot of them (~25%) have the wrong timestamp
Note the _time is 9/17/16 instead of 6/24/14
Is this just a problem with auto extraction of the timestamp?
Is there a way to debug the extraction with these events ?
You will need to add the following configurations to your props.conf. These configurations will tell splunk exactly where to look for your timestamp. You can also add these configuration via the GUI will uploading data. These are index time extractions so that won't update/change any data that's currently written to disk.
TIME_PREFIX= [\r\n]starts\s+\S+\s+
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 23
To add these configs via the GUI complete the following fields:
Timestamp format: %Y/%m/%d %H:%M:%S
Timestamp prefix: [\r\n]starts\s+\S+\s+
Lookahead: 23
To troubleshoot issues, I would look at:
index = _internal log_level = WARN OR log_level =ERROR "timestamp"
Yeah, I poked around with those regex settings, it fixed some of the problems, but there were still some oddnesses like this.
looking at the splunkd.log, I assume this is because the event is more than 2000 days old.
DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event
The TIME_FORMAT specified is matching timestamps (Fri Jun 18 14:48:58 2010) outside of the acceptable time window. If this timestamp is correct,
consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE
You can update those settings in props.conf, but keep in mind the retention policy. By default, splunk deletes data older than ~6 years. You may need to increase you frozen time period in secs setting in indexes.conf to ensure that the data isn't deleted.