"DateParserVerbose - Failed to parse timestamp" Er...

sonicZ · ‎10-22-2014

I am getting these errors, even though i think i have the timestamp parsed correctly based on other splunk answers.

2014 22:22:16.138 +0000 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549
10-22-2014 22:22:16.138 +0000 WARN  DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549

Some sample data i am working with is as follows.

2014-10-21 22:01:07,348 [http-bio-8080-exec-1895] INFO  [c.s.s.o.c.OcspController]  GET IP: 24.222.89.103, 10.246.43.228, 72.246.43.217, 207.14.2.74  SN:  10c9cc  CA:  10923  SUCC

Here's my props.conf that i am using

[ocsp_app]
MAX_TIMESTAMP_LOOKAHEAD = 24
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ=UTC

I did notice sometimes data comes in with period or a comma for the milliseconds portion.
so

2014-10-21 22:01:07,348
 2014-10-21 22:01:07.348

Can TIME_FORMAT accept regexs?
This does not seem to work for me as i still get occasional DateParserVerbose errors with it enabled.

TIME_FORMAT = %Y-%m-%d %H:%M:%S(,|.)%3N

Also it seems like Splunk recognizes the timestamp by default using data preview but i still see the dateparserverbose errors on the ocsp_app sourcetype.

ShaneNewman · ‎10-22-2014

I have also had the same problem. Using the information found here, I was able to figure it out 🙂

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

"DateParserVerbose - Failed to parse timestamp" Error: Can TIME_FORMAT accept multiple formats?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk