Hi, Currently I am having below issues :
A possible timestamp match (Fri Aug 16 11:09:15 2013)
is outside of the acceptable time window.
• Accepted time (Fri Apr 5 00:00:00 2019)
is suspiciously far away from the previous event's time (Thu Jun 6 14:10:32 2019)
, but still acceptable because it was extracted by the same pattern Splunk
• Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD
(128) characters of the event. Splunk
• Time parsed (Fri Apr 8 00:00:00 2016)
is too far away from the previous event's time (Thu Jun 6 11:37:19 2019)
to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE
Splunk.
Below is my props.conf deployed in indexers:
[xxxxxxxxx]
DATETIME_CONFIG =
FIELD_DELIMITER = |
FIELD_NAMES = timestamp,message
HEADER_FIELD_DELIMITER = |
INDEXED_EXTRACTIONS = psv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Pipe-separated value format.
disabled = false
pulldown_type = true
SEDCMD-stupid-line-breaker = s/\----------------------------------------//g
I am planning to add these settings on my existing props configs ;
• Add MAX_DAYS_AGO = 3000
• MAX_DAYS_HENCE = 90
Will it solve my issue if I add the above two settings?
I know by default MAX_DAYS_AGO
is 2000 but here nothing is mentioned means is the default of 2000 days working?
What stanza do I need to add for this error message Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD
(128) characters of the event?
Please suggest some answers.
I'm not sure where the Aug 16 date is coming from, but it should help to specify timestamp options. Also, INDEXED_EXTRACTIONS = psv
doesn't apply here since you don't have a PSV file. Try these settings:
[mysecretsourcetype]
# Break after a line of dashes and a CR and/or LF. Discard the matching chars.
LINE_BREAKER = (----+[\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S.%5N
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
The "Failed to parse timestamp" message may be coming from the lines of dashes. These settings should eliminate those.
I'm not sure where the Aug 16 date is coming from, but it should help to specify timestamp options. Also, INDEXED_EXTRACTIONS = psv
doesn't apply here since you don't have a PSV file. Try these settings:
[mysecretsourcetype]
# Break after a line of dashes and a CR and/or LF. Discard the matching chars.
LINE_BREAKER = (----+[\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %m/%d/%Y %H:%M:%S.%5N
MAX_TIMESTAMP_LOOKAHEAD = 25
SHOULD_LINEMERGE = false
The "Failed to parse timestamp" message may be coming from the lines of dashes. These settings should eliminate those.
so i will remove the line INDEXED_EXTRACTIONS = psv and adding these lines to my existing sourcetype right ? and will it fix these issues too or should i need to add some extra parameter like (• Add MAX_DAYS_AGO = 3000
• MAX_DAYS_HENCE = 90)
A possible timestamp match (Fri Aug 16 11:09:15 2013) is outside of the acceptable time window.
• Accepted time (Fri Apr 5 00:00:00 2019) is suspiciously far away from the previous event's time (Thu Jun 6 14:10:32 2019), but still accepted because it was extracted by the same pattern splunk
Time parsed (Fri Apr 8 00:00:00 2016) is too far away from the previous event's time (Thu Jun 6 11:37:19 2019) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE splunk
Please share some sample data. It's close to impossible to determine if your settings are correct without knowing what is to parse.
BTW, the SEDCMD
attribute goes in transforms.conf.
Sure here is sample event logs from splunk , i dont have actual logs now , if it wont works i will upload the actual logs shortly :
6/6/19
5:57:31.000 PM
host = xxxxxxxxxxxx source = \xxxxxxxxxxx\Logs\Prod\PlatformServices\UnemploymentDocumentProcessorClaimsQuestionaires\Audit.log sourcetype = xxxxxxxxxx
6/6/19
5:57:31.000 PM
host = xxxxxxxxxxxxx source = \xxxxxxxxxxxxxx\Logs\Prod\PlatformServices\UnemploymentDocumentProcessorClaimsQuestionaires\Audit.log sourcetype = xxxxxxxxxxx
here is the sample of actual server logs:
Please help me out to fix these above mentioned errors.