Feb 18 18:36:20 smtp2 sm-mta[17872]: l1J0a3fO017872: discarded
I have one sample event. when I this it gives me "could not use strptime to parse timestamp" error. picture as attached.
below is my sample props.conf
[ email_log ]
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
CHARSET=AUTO
MAX_TIMESTAMP_LOOKAHEAD=15
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%a %d %H:%M:%S
disabled=false
pulldown_type=true
Your TIME_FORMAT
is wrong. You have %a
which represents day of week, but in your log, it's showing the shorthand month which should be %b
Here's the correct format
TIME_FORMAT=%b %d %H:%M:%S
Your TIME_FORMAT
is wrong. You have %a
which represents day of week, but in your log, it's showing the shorthand month which should be %b
Here's the correct format
TIME_FORMAT=%b %d %H:%M:%S
yes you are right.
My silly mistake..
the lab results are giving me below errors:
Data Onboarding – Default (empty) TIME_FORMAT (contrary to best practices).
- Data Onboarding – Default (empty) TIME_PREFIX (contrary to best practices).
- Data Onboarding – Default TRUNCATE; should have been set lower as a safety switch against bad data.
- Data Onboarding – LINE_BREAKER not up to best practices. As a reminder, the default is '([ ]+)', read as 'a capture group matching one or more new line or carriage return line feeds.' The goal is to enhance this, for this sample, by including extra information like the date stamp which signals 'not just a new line, but a new event'. Splunk treats the capture group like a 'hole punch' as the text to remove to separate events from one another within the file.
can you please support me with these.
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
SHOULD_LINEMERGE=true
this is not best practice.
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
Sorry did not get your point. you are referring first point or 2nd point.
and whats about TIME_PREFIX and TRUNCATE. can you please advise on this as well
see
https://answers.splunk.com/answers/227121/what-is-the-difference-between-line-breaker-and-br.html
TIME_PREFIX no need
TRUNCATE do you have problem?