Getting Data In

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

akshaybahetii
New Member

I have unix timestamp in my data file .

review/time: 1182816000
review/summary: Periwinkle...

To parse this timestamp

timestamp/format: "%+"
timestamp/prefix: review/time:
lookahead: 12

the error I am getting is "Could not use strptime to parse timestamp from "1182816000\/n""

I feel splunk is unable to find the end of the timestamp. And when I specific "\d+" in prefix it fails.

I am not sure weather the time stamp is unix. But it feels like unix.
And splunk does recognize the time is 6/25/2007 5pm in the time column. Still get the error strange 😕

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Try %s instead of %+. I use that for a number of UNIX timestamp logs (like Nagios) and they work fine.

If you have any characters before the timestamp on the line, be sure to include that in the count of characters if you use MAX_TIMESTAMP_LOOKAHEAD, and you may also need to use TIME_PREFIX. But these last two things are probably not going to matter if you don't have them, so only use them if you need to.

akshaybahetii
New Member

Thank you cpetterborg for the help. It worked without any warning on converting "%+" to "%s" as you suggested.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

martin_mueller
SplunkTrust
SplunkTrust

It works "fine" because Splunk ignored your request to try and look for a lengthy human-readable timestamp including time zone and all that (ie %+) and fell back to looking for the timestamp format itself.

akshaybahetii
New Member

Thank you Martin for the help. It worked without any warning on converting "%+" to "%s".

0 Karma

akshaybahetii
New Member

I just went ahead with the error and indexed data into splunk. Now it works fine. Still dint get the reason for the error.

0 Karma

akshaybahetii
New Member

I have set MAX_DAYS_AGO = -1.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...