Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting errors failing to parse a Unix timestamp with my current configuration?

akshaybahetii
New Member
‎11-17-2014 12:26 PM

I have unix timestamp in my data file .

review/time: 1182816000
review/summary: Periwinkle...

To parse this timestamp

timestamp/format: "%+"
timestamp/prefix: review/time:
lookahead: 12

the error I am getting is "Could not use strptime to parse timestamp from "1182816000\/n""

I feel splunk is unable to find the end of the timestamp. And when I specific "\d+" in prefix it fails.

I am not sure weather the time stamp is unix. But it feels like unix.
And splunk does recognize the time is 6/25/2007 5pm in the time column. Still get the error strange 😕

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:22 PM

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

View solution in original post

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-17-2014 02:29 PM

Try %s instead of %+. I use that for a number of UNIX timestamp logs (like Nagios) and they work fine.

If you have any characters before the timestamp on the line, be sure to include that in the count of characters if you use MAX_TIMESTAMP_LOOKAHEAD, and you may also need to use TIME_PREFIX. But these last two things are probably not going to matter if you don't have them, so only use them if you need to.

Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-18-2014 06:10 PM

Thank you cpetterborg for the help. It worked without any warning on converting "%+" to "%s" as you suggested.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:22 PM

Make sure you set MAX_DAYS_AGO in props.conf to a value greater than 2700 to allow a timestamp older than 2700 days ago to be parsed and treated as "correct".

Additionally, I believe you're looking for %s rather than "%+".

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:30 PM

It works "fine" because Splunk ignored your request to try and look for a lengthy human-readable timestamp including time zone and all that (ie %+) and fell back to looking for the timestamp format itself.

Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-18-2014 06:09 PM

Thank you Martin for the help. It worked without any warning on converting "%+" to "%s".

0 Karma
Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-17-2014 02:28 PM

I just went ahead with the error and indexed data into splunk. Now it works fine. Still dint get the reason for the error.

0 Karma
Reply
Solved! Jump to solution

akshaybahetii
New Member
‎11-17-2014 02:26 PM

I have set MAX_DAYS_AGO = -1.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...