I am getting these errors, even though i think i have the timestamp parsed correctly based on other splunk answers.
2014 22:22:16.138 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549
10-22-2014 22:22:16.138 +0000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Wed Oct 22 22:22:14 2014). Context: source::/app/logs/ocspresponder/ocspresponder.log|host::rat3be-d1-ap|ocsp_app|3549
Some sample data i am working with is as follows.
2014-10-21 22:01:07,348 [http-bio-8080-exec-1895] INFO [c.s.s.o.c.OcspController] GET IP: 24.222.89.103, 10.246.43.228, 72.246.43.217, 207.14.2.74 SN: 10c9cc CA: 10923 SUCC
Here's my props.conf that i am using
[ocsp_app]
MAX_TIMESTAMP_LOOKAHEAD = 24
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TZ=UTC
I did notice sometimes data comes in with period or a comma for the milliseconds portion.
so
2014-10-21 22:01:07,348
2014-10-21 22:01:07.348
Can TIME_FORMAT accept regexs?
This does not seem to work for me as i still get occasional DateParserVerbose errors with it enabled.
TIME_FORMAT = %Y-%m-%d %H:%M:%S(,|.)%3N
Also it seems like Splunk recognizes the timestamp by default using data preview but i still see the dateparserverbose errors on the ocsp_app sourcetype.
I have also had the same problem. Using the information found here, I was able to figure it out 🙂
http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem