Getting Data In

What are these WARN DateParserVerbose messages in splunkd.log?

Splunk Employee
Splunk Employee

On Splunk 4.1, I see a bunch of these messages. What do they mean? Should I be concerned?

    04-28-2010 13:48:32.270 WARN DateParserVerbose - Failed to parse timestamp
    for event. Text="Traceback (most recent call last):..."
    04-28-2010 13:48:32.270 WARN DateParserVerbose - Failed to parse timestamp
    for event. Text=" File "/opt/splunk/etc/system/bin/appsmanager.py", line
    114, in handle_POST..."
1 Solution

Splunk Employee
Splunk Employee

These messages mean that Splunk could not find a timestamp for that particular event which was sent to Splunk. It is a warning message to suggest that you examine why your data input is not being parsed as expected. You should look for the source (or sourcetype) which contains that event and see why Splunk did not recognize a timestamp. Maybe your data does not include timestamps, and you want to force Splunk to use the current time? In this case, you should set that particular source to use the current time at the props.conf level.

Note: In earlier versions of Splunk (4.0.x), we were pretty verbose about sending this warning.

View solution in original post

Splunk Employee
Splunk Employee

This is Splunk telling you that it is receiving data and parsing it in such a way that it cannot find a timestamp within the event. It doesn't necessarily mean that a timestamp doesn't exist, but it should spur you to investigate the data further and determine what 'should' be happening.

Most often, this is an indication that you have events being indexed as single-line but they should really be multi-line, ie. the timestamp for the whole event is in line 1 and lines 2 - 10 are just the event body. However Splunk is indexing each line as a single event, so lines 2 - 10 don't have a timestamp and this message is produced.

Another example is the one above, appsmanager.py is one of Splunk's internal scripts, it doesn't have a timestamp at all, so in that case, the WARN message can be safely ignored.

The WARN message itself will contain information on the source and sourcetype of the data in question, so you should be able to identify it from there. If you find that you do need to define some line-breaking or timestamp extraction rules, all of those settings are contained in [props.conf][1] and the specific docs instructions are linked from here.

Splunk Employee
Splunk Employee

These messages mean that Splunk could not find a timestamp for that particular event which was sent to Splunk. It is a warning message to suggest that you examine why your data input is not being parsed as expected. You should look for the source (or sourcetype) which contains that event and see why Splunk did not recognize a timestamp. Maybe your data does not include timestamps, and you want to force Splunk to use the current time? In this case, you should set that particular source to use the current time at the props.conf level.

Note: In earlier versions of Splunk (4.0.x), we were pretty verbose about sending this warning.

View solution in original post

SplunkTrust
SplunkTrust

I am wrestling with similar issues. The best answer I can provide is that Splunk is indexing a particular event, that is

Traceback (most recent call last):...

or

 File "/opt/splunk/etc/system/bin/appsmanager.py"

and it can't find a pattern that matches any known sort of timestamp. There is some configuration that likely needs set so that Splunk will know that you are sending it a multi-line event, and know where to find the timestamp (if there is one).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!