Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

akshaybahetii
New Member
‎11-17-2014 12:26 PM

I have unix timestamp in my data file .

review/time: 1182816000
review/summary: Periwinkle...

To parse this timestamp

timestamp/format: "%+"
timestamp/prefix: review/time:
lookahead: 12

the error I am getting is "Could not use strptime to parse timestamp from "1182816000\/n""

I feel splunk is unable to find the end of the timestamp. And when I specific "\d+" in prefix it fails.

I am not sure weather the time stamp is unix. But it feels like unix.
And splunk does recognize the time is 6/25/2007 5pm in the time column. Still get the error strange 😕

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:22 PM

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

View solution in original post

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-17-2014 02:29 PM

Try %s instead of %+. I use that for a number of UNIX timestamp logs (like Nagios) and they work fine.

If you have any characters before the timestamp on the line, be sure to include that in the count of characters if you use MAX_TIMESTAMP_LOOKAHEAD, and you may also need to use TIME_PREFIX. But these last two things are probably not going to matter if you don't have them, so only use them if you need to.

Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-18-2014 06:10 PM

Thank you cpetterborg for the help. It worked without any warning on converting "%+" to "%s" as you suggested.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:22 PM

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:30 PM

It works "fine" because Splunk ignored your request to try and look for a lengthy human-readable timestamp including time zone and all that (ie %+) and fell back to looking for the timestamp format itself.

Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-18-2014 06:09 PM

Thank you Martin for the help. It worked without any warning on converting "%+" to "%s".

0 Karma
Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-17-2014 02:28 PM

I just went ahead with the error and indexed data into splunk. Now it works fine. Still dint get the reason for the error.

0 Karma
Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-17-2014 02:26 PM

I have set MAX_DAYS_AGO = -1.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...