Splunk Cloud Platform

How to parse timestamp & other fields in logs with no timestamp?

Sid
Explorer

log sample
[6724268.575s][debug][gc,age] GC(10561) Desired survivor size 33554432 bytes, new threshold 1 (max threshold 15)

I am getting timestamp parsing errors for the above source logs

using below props

DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TRUNCATE = 999999
TZ = America/New_York
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk should not be trying to find a timestamp when DATETIME_CONFIG=CURRENT is used.  Perhaps, however, the TZ setting is overriding that.  Try removing the TZ setting.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Sid
Explorer

previously i had only DATETIME_CONFIG=CURRENT but i was still getting timestamp parsing error in data quality dashboard , so i added TZ later.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...