Getting Data In

How to troubleshoot why the wrong timestamps are being parsed for a dhcpd.leases file?

bloxhorne
New Member

I'm trying to read in a dhcpd.leases file, but some of my entries are getting the wrong timestamp, and I'm not sure how to debug it.

When I first load the file, the parser recognizes the correct time stamp:

alt text

But then, when reviewing the events, a lot of them (~25%) have the wrong timestamp

alt text

Note the _time is 9/17/16 instead of 6/24/14
Is this just a problem with auto extraction of the timestamp?
Is there a way to debug the extraction with these events ?

0 Karma

splunk_force_as
Path Finder

You will need to add the following configurations to your props.conf. These configurations will tell splunk exactly where to look for your timestamp. You can also add these configuration via the GUI will uploading data. These are index time extractions so that won't update/change any data that's currently written to disk.

TIME_PREFIX= [\r\n]starts\s+\S+\s+
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 23

To add these configs via the GUI complete the following fields:

Timestamp format: %Y/%m/%d %H:%M:%S
Timestamp prefix:  [\r\n]starts\s+\S+\s+
Lookahead: 23

To troubleshoot issues, I would look at:

index = _internal log_level = WARN OR log_level =ERROR  "timestamp"
0 Karma

bloxhorne
New Member

Yeah, I poked around with those regex settings, it fixed some of the problems, but there were still some oddnesses like this.

alt text

looking at the splunkd.log, I assume this is because the event is more than 2000 days old.

DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event
The TIME_FORMAT specified is matching timestamps (Fri Jun 18 14:48:58 2010) outside of the acceptable time window. If this timestamp is correct,
consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE
0 Karma

splunk_force_as
Path Finder

You can update those settings in props.conf, but keep in mind the retention policy. By default, splunk deletes data older than ~6 years. You may need to increase you frozen time period in secs setting in indexes.conf to ensure that the data isn't deleted.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...