Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are we getting "failed to parse timestamp defaulting to file mtime error" for events with no timestamp logs?

lksridhar
Explorer
‎09-26-2017 04:59 AM

Hi Folks,

we have below format logs and there is no time stamp on first 5 lines and we are getting error "failed to parse timestamp defaulting to file mtime error" while indexing the data. We have e created some timezone and prefix on props.conf but it doesn't fix the issue. Could you please anyone help me to fix the issue?

logs example:

trcd file: "dedv_w10", trcd levels: 1, rgeleaese: "742"

*
* ACTdIVE TRACE wLEVEL 1
* ACsTIVE TRAsCE CsOMPONENTS all, MJ
*
M sysno s00
M sid P015
M systemid 3290 (AMD/Inddtel x86_64 with Lgeiewnux)
M relno 742e0
M patchlevel 01
M patchno 439d

M Sun Sep 17 10:42:57 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)

Props.conf
[ ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\w{1}\s\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}

0 Karma
Reply

DalJeanis
Legend
‎09-26-2017 12:55 PM

It looks like your timestamp lookahead needs to be at least 200-300 characters to find that one.

It might be best to try to figure out a good timestamp prefix to use. if it is always right after the patchno, then perhaps something like 

 TIME_PREFIX = M patchno.{6,15}M\d

https://answers.splunk.com/answers/318191/timestamp-lookahead-questions.html

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...