Getting Data In

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

akshaybahetii
New Member

I have unix timestamp in my data file .

review/time: 1182816000
review/summary: Periwinkle...

To parse this timestamp

timestamp/format: "%+"
timestamp/prefix: review/time:
lookahead: 12

the error I am getting is "Could not use strptime to parse timestamp from "1182816000\/n""

I feel splunk is unable to find the end of the timestamp. And when I specific "\d+" in prefix it fails.

I am not sure weather the time stamp is unix. But it feels like unix.
And splunk does recognize the time is 6/25/2007 5pm in the time column. Still get the error strange 😕

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Try %s instead of %+. I use that for a number of UNIX timestamp logs (like Nagios) and they work fine.

If you have any characters before the timestamp on the line, be sure to include that in the count of characters if you use MAX_TIMESTAMP_LOOKAHEAD, and you may also need to use TIME_PREFIX. But these last two things are probably not going to matter if you don't have them, so only use them if you need to.

akshaybahetii
New Member

Thank you cpetterborg for the help. It worked without any warning on converting "%+" to "%s" as you suggested.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

martin_mueller
SplunkTrust
SplunkTrust

It works "fine" because Splunk ignored your request to try and look for a lengthy human-readable timestamp including time zone and all that (ie %+) and fell back to looking for the timestamp format itself.

akshaybahetii
New Member

Thank you Martin for the help. It worked without any warning on converting "%+" to "%s".

0 Karma

akshaybahetii
New Member

I just went ahead with the error and indexed data into splunk. Now it works fine. Still dint get the reason for the error.

0 Karma

akshaybahetii
New Member

I have set MAX_DAYS_AGO = -1.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...