Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timestamp parsing Failing !!! pls help

xbbj3nj
Path Finder
‎04-29-2014 11:46 AM

Hi All,

All of a sudden, Timestamp parsing doesn't work in splunk when I index a file manually into the system. It ignores the logfile time and takes the current system time.
It was working well and I don't know suddenly what caused this problem, It's not even able to recognize the earlier indexed files.
It just gives the error "Timestamp parsing failed"..

Same case for event breaking too, it doesn't work either...

Can you please post a resolution to this ?

Tags (3)
Reply

spammenot66
Contributor
‎03-17-2016 09:48 AM

are you manually importing Webtrends SDC log files into SPLUNK? If so, try using the SPLUNK forwarder.

0 Karma
Reply

lguinn2
Legend
‎05-03-2014 03:03 AM

So the actual log file looks more like this

#Remark: DCS-p
#Software: WebTrends SmartSource Data Collector     
#Version: 1.0
#Date: 2014-04-22 04:47:49
#Fields: date time c-ip cs-username cs-host cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-version cs(User-Agent) cs(Cookie) cs(Referer) dcs-id 
2014-04-25 23:31:19 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx 
2014-04-25 23:31:31 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx 
2014-04-25 23:31:37 172.24.32.95 xbbjnzp fma.abc.net GET /fma/futures/default.aspx 
2014-04-25 23:31:53 172.24.32.95 xbbjnzp fma.abc.net GET /fma/trades/default.aspx

Therefore, I believe that you will want the following stanza in a local props.conf - perhaps .../etc/system/local/props.conf

[yoursourcetype]
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%m-%d %H:%M:%S
PREAMBLE_REGEX = \#

The last line tells Splunk to ignore lines in the log file that begin with #. If you want to index these lines, just leave it off.

Make sure you specify the proper sourcetype for your inputs. If this problem is affecting multiple sourcetypes, add (or edit) a stanza in props.conf for each sourcetype.

I suspect that Splunk has begun to try to process the header, and that is confusing things.

0 Karma
Reply

somesoni2
Revered Legend
‎04-29-2014 01:08 PM

When you import a file into Splunk, you need to specify a sourcetype and configure sourcetype to correctly identify event breaking and timestamp. Till than if the data format is not in Splunk Standard (start with timestamp) it will show that error in preview screen.

0 Karma
Reply

linu1988
Champion
‎04-29-2014 01:06 PM

where exactly the log starts and ends? the config doesn't look right where these may parameters are mentioned!

simple

SHOULD_LINEMERGE=TRUE
TIME_FORMAT=%Y-%m-%d %H:%M:%S
BREAK_ONLY_BEFORE_DATE=TRUE

should see all the log times.

0 Karma
Reply

xbbj3nj
Path Finder
‎04-29-2014 12:40 PM

sample log file :

Remark: DCS-p

Software: WebTrends SmartSource Data Collector

Version: 1.0

Date: 2014-04-22 04:47:49

Fields: date time c-ip cs-username cs-host cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-version cs(User-Agent) cs(Cookie) cs(Referer) dcs-id

2014-04-25 23:31:19 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx
2014-04-25 23:31:31 172.24.32.95 xbbjnzp fma.abc.net GET /fma/default.aspx
2014-04-25 23:31:37 172.24.32.95 xbbjnzp fma.abc.net GET /fma/futures/default.aspx
2014-04-25 23:31:53 172.24.32.95 xbbjnzp fma.abc.net GET /fma/trades/default.aspx

0 Karma
Reply

xbbj3nj
Path Finder
‎04-29-2014 12:37 PM

SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
LEARN_SOURCETYPE = true
maxDist = 100
detect_trailing_nulls = false

0 Karma
Reply

xbbj3nj
Path Finder
‎04-29-2014 12:37 PM

Below is the props.conf under /opt/splunk/etc/system/default

[default]
CHARSET = UTF-8
LINE_BREAKER_LOOKBEHIND = 100
TRUNCATE = 10000
DATETIME_CONFIG = /etc/datetime.xml
ANNOTATE_PUNCT = True
HEADER_MODE =
MAX_DAYS_HENCE=2
MAX_DAYS_AGO=2000
MAX_DIFF_SECS_AGO=3600
MAX_DIFF_SECS_HENCE=604800
MAX_TIMESTAMP_LOOKAHEAD = 128
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
MAX_EVENTS = 256
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
TRANSFORMS =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner

0 Karma
Reply

linu1988
Champion
‎04-29-2014 12:26 PM

sample logs and props.conf setting please

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top