@richgalloway  Above is the error. Please help me how to fix this one.

I got the time zone decoder wrong. Try my updated reply.

@richgalloway I will try and let you know.

@richgalloway Still showing the same error. Please let me know to fix this.

You can try adding TIME_PREFIX = \<

@faizancool85  yes added but still not working. But when i remove TIME_FORMAT completely and use only LINE_BREAKER=\w{3}\s\d{2},\s\d{4}\s\d{2}:\d{2}:\d{2},\d{3}\s\w{2}\s\w{3}

It is perfectly parsed. But i want to use time format also. Please let me know what is the reason that not get parsed or showing the above error as mentioned earlier.

 

 

@uagraw01  Can you paste here a sample data? 

 @faizancool85  The same error which i pasted earlier.

A screen shot is not sample data. Sample data is something we can paste into our own Splunk instances to test possible solutions.

<July 13, 2020 10:55:02,572 PM CDT> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request.

 

This is the sample log.

Thanks for the sample. It works on my system using the settings we've discussed.
I find it interesting that an error is displayed even though the timestamps are interpreted correctly.

@richgalloway Yes same thing happened from my side. It is parsed but same error is displayed.

You don't need extra Time setting on props.conf

Splunk can extract timestamps

[ your sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=AUTO
TRANSFORMS-your_setting = your_setting

Looks like you're missing an Index-time setting, It's highly recommended to define below 6 index-time settings whenever your onboarding new data sources. I believe you're missing these.  Try to define with this to solve the issue.

• TIME_PREFIX
• TIME_FORMAT
• MAX_TIMESTAMP_LOOKAHEAD
• LINE_BREAKER
• SHOULD_LINEMERGE
• TRUNCATE

@faizancool85  i used all these six settings but when i used TIME_FORMAT the above error is showing to me.