Why are we getting "failed to parse timestamp defa...

lksridhar · ‎09-26-2017

Hi Folks,

we have below format logs and there is no time stamp on first 5 lines and we are getting error "failed to parse timestamp defaulting to file mtime error" while indexing the data. We have e created some timezone and prefix on props.conf but it doesn't fix the issue. Could you please anyone help me to fix the issue?

logs example:

trcd file: "dedv_w10", trcd levels: 1, rgeleaese: "742"

*
* ACTdIVE TRACE wLEVEL 1
* ACsTIVE TRAsCE CsOMPONENTS all, MJ
*
M sysno s00
M sid P015
M systemid 3290 (AMD/Inddtel x86_64 with Lgeiewnux)
M relno 742e0
M patchlevel 01
M patchno 439d

M Sun Sep 17 10:42:57 2017
M kernel runs with dp version 3000(ext=117000) (@(#) DPLIB-INT-VERSION-0+3000-UC)

Props.conf
[ ]
SHOULD_LINEMERGE=false
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)\w{1}\s\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}

DalJeanis · ‎09-26-2017

It looks like your timestamp lookahead needs to be at least 200-300 characters to find that one.

It might be best to try to figure out a good timestamp prefix to use. if it is always right after the patchno, then perhaps something like

 TIME_PREFIX = M patchno.{6,15}M\d

https://answers.splunk.com/answers/318191/timestamp-lookahead-questions.html

Why are we getting "failed to parse timestamp defaulting to file mtime error" for events with no timestamp logs?

trcd file: "dedv_w10", trcd levels: 1, rgeleaese: "742"

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!